Thermëa Spa In Whitby Experienced A Data Breach & Customers 'Don't Feel Safe Going Back'
It's not the first problem the spa has faced since it opened.
Thermëa Spa Village in Whitby, Ontario.
Thermëa Spa Village in Whitby, Ontario is once more facing backlash after a data breach led to the exposure of multiple guests' information.
The spa, which first opened on October 6, 2022, is in the midst of a lawsuit due to a staph outbreak in one of its pools last fall. Now, customers are coming forward with complaints about a data breach that occurred shortly after.
Groupe Nordik, the company that owns the spa, said in a statement to Narcity that they "became aware of suspicious activity on [their] gift certificate system in late February and immediately shut down the system to investigate with a best-in-class third-party cyber security firm."
Visitors affected by the breach are leaving Instagram comments and Google reviews expressing their frustrations with the situation.
"Got a bacterial infection from the spa... but I overlook[ed] that," reads one Google review by Laiba Mujeeb.
"This morning [I] just discovered my financial information, address, phone number and email was leaked [and] accessed by a scammer. The scammer made a business PayPal account using all the information I gave them and charged my card. All [the spa] suggested was to go to the authorities as they will not take accountability. Please avoid this place."
Others are noting that the spa acted "way too late" when it came to handling the leak.
Customer Sarah Leroux received a gift certificate for the Thermëa Spa as a Christmas present from her husband. She told Narcity that they began noticing unusual charges for Uber drives and Bell on their credit card right after the holidays.
"We cancelled the card right away and got a replacement and somehow, some way, they got the numbers of the replacement card and all the same charges were happening again on the replacement card," she said.
She explained that they had no idea how their card had been compromised until they received a message from the spa at the beginning of April explaining the breach.
"[It's] four months too late, and we've been stressing, you know, what future things could happen."
"If they only found out they had a data breach four months after there's something seriously wrong in their technology department, usually data breaches you see right away," Leroux said. "So I thought the way they handled that was pretty bad."
"They need to definitely reevaluate their technology. I don't feel safe going back there."
In their statement, the spa noted that "customers' data privacy and security are of the utmost importance, and we have reached out to all customers that may have been impacted."
"We have asked our customers to stay vigilant and report any suspicious activity to local authorities."
This interview has been condensed and edited for clarity.