Eurail Confirms Data Breach Affecting 300,000+ Travelers, Exposing Passports and Personal Information
Key Takeaways
- ▸Over 308,777 individuals had personal and sensitive information stolen, including passport numbers, ID details, and health information
- ▸The breach occurred on December 26, 2025, but was not disclosed until February 2026, with formal notifications sent to customers on March 27, 2026
- ▸Threat actors publicly advertised stolen data on Telegram and attempted to sell it on darknet markets
Summary
Eurail B.V., a Netherlands-based European travel operator providing digital passes across 33 national railways, has confirmed that a December 2025 data breach compromised the personal information of over 308,000 individuals. The attackers gained unauthorized access to the company's customer database on December 26, 2025, and exfiltrated sensitive data including full names, passport details, ID numbers, bank account IBANs, health information, and contact details. The breach was formally disclosed to affected individuals on March 27, 2026, more than three months after the initial incident.
The stolen data included information from travelers who purchased Interrail and Eurail passes, as well as young Europeans who received passes through the EU's DiscoverEU program. Threat actors reportedly published sample data on Telegram and attempted to sell the full dataset on the dark web. The European Commission separately warned that health information and other sensitive data may have been exposed for DiscoverEU program participants. Eurail advised affected customers to change passwords, monitor bank accounts for fraudulent activity, and remain vigilant against phishing attacks and scams.
- The breach impacts EU citizens and young travelers enrolled in the DiscoverEU program, heightening potential identity theft and fraud risks
