Eurail data breach impacted 308,777 people

Eurail B.V. confirmed a significant data breach occurring in December 2025, compromising the personal information of 308,777 travelers. Unauthorized actors accessed network segments and exfiltrated files containing names, passport numbers, contact details, and travel information. While payment card data was not stored, the exposure of passport details raises severe identity theft risks. Stolen data was subsequently offered for sale on the dark web, with samples published on Telegram. Eurail engaged third-party cybersecurity professionals and law enforcement to investigate and secure systems. Customers are urged to update passwords, monitor financial accounts, and remain vigilant against phishing attempts leveraging stolen data. The incident highlights risks associated with centralized travel data repositories and underscores the importance of robust access controls and continuous monitoring to prevent unauthorized data exfiltration and protect sensitive personally identifiable information (PII) from cybercriminal exploitation.

Hackers breached Eurail in Dec 2025, stole names and passport data, and exposed over 300,000 travelers’ personal information. Threat actors breached Eurail in December 2025 and stole names and passport numbers from its network. The company now notifies 308,777 people that attackers exposed their personal data, raising concerns about identity theft and misuse of sensitive […]

Eurail B.V. confirmed a significant data breach occurring in December 2025, compromising the personal information of 308,777 travelers. Unauthorized actors accessed network segments and exfiltrated files containing names, passport numbers, contact details, and travel information. While payment card data was not stored, the exposure of passport details raises severe identity theft risks. Stolen data was subsequently offered for sale on the dark web, with samples published on Telegram. Eurail engaged third-party cybersecurity professionals and law enforcement to investigate and secure systems. Customers are urged to update passwords, monitor financial accounts, and remain vigilant against phishing attempts leveraging stolen data. The incident highlights risks associated with centralized travel data repositories and underscores the importance of robust access controls and continuous monitoring to prevent unauthorized data exfiltration and protect sensitive personally identifiable information (PII) from cybercriminal exploitation. Hackers breached Eurail in Dec 2025, stole names and passport data, and exposed over 300,000 travelers’ personal information. Threat actors breached Eurail in December 2025 and stole names and passport numbers from its network. The company now notifies 308,777 people that attackers exposed their personal data, raising concerns about identity theft and misuse of sensitive […] Hackers breached Eurail in Dec 2025, stole names and passport data, and exposed over 300,000 travelers’ personal information. Threat actors breached Eurail in December 2025 and stole names and passport numbers from its network. The company now notifies 308,777 people that attackers exposed their personal data, raising concerns about identity theft and misuse of sensitive travel information. “We recently identified unusual activity within a segment of our network. We immediately implemented our incident response procedures, took steps to terminate the activity, and commenced an investigation with the support of third-party cybersecurity professionals. We also notified law enforcement and are supporting its investigation.” reads the data breach notification . “The evidence showed that an unauthorized actor transferred files from our network on December 26, 2025. We reviewed the files involved and, on February 25, 2026, determined that they contained some of your information.” Eurail B.V. is a Netherlands-based company that manages and sells the Eurail Pass, allowing international travelers to explore Europe by train with a single ticket. Working with dozens of railway and ferry partners, it provides access to more than 250,000 kilometers of rail routes across over 30 European countries, simplifying cross-border rail travel. In February, Eurail B.V. confirmed that the traveler data stolen in a breach earlier this year were being offered for sale on the dark web . The company disclosed the development as part of its ongoing response to the cybersecurity incident. “Eurail B.V. has confirmed that certain customer data affected by the previously reported security incident has been offered for sale on the dark web and a sample data set has been published on Telegram.” reads the statement published by the company. “We are continuing to investigate the scope and impact.” Eurail B.V. confirmed a security breach that led to unauthorized access to customer data, including participants in the European Commission’s DiscoverEU program. The company said it quickly secured its systems and launched an investigation with the help of external cybersecurity and legal experts. Early findings indicate the breach may involve order and reservation details, basic identity and contact data, travel companion information, and in some cases passport numbers and expiry dates. “The personal data affected may include data that users have provided (where applicable): name, surname, date of birth or age, passport/ID information or photocopies, email address, postal address and country of residence, phone number, bank account reference (IBAN), data concerning health.” reads a company update published in January. The company pointed out it does not store payment card data or passport copies. The company notified authorities in compliance with the GDPR regulation. Eurail B.V. said customers whose data may have been accessed or published will be informed directly when contact details are available. They urge vigilance against suspicious calls, emails, or messages requesting personal information and stress that Eurail will never request sensitive data unsolicited. Customers should update their Rail Planner app password, review related email, social media, or banking passwords, monitor accounts for unusual activity, and report any concerns to their bank. In early March, Eurail said the hacker sold stolen data on the dark web and shared samples on Telegram. The company said it does not store payment data or passport scans and will notify affected...