Pierluigi Paganini
April 09, 2026
Threat actors breached Eurail in December 2025 and stole names and passport numbers from its network. The company now notifies 308,777 people that attackers exposed their personal data, raising concerns about identity theft and misuse of sensitive travel information.
“We recently identified unusual activity within a segment of our network. We immediately implemented our incident response procedures, took steps to terminate the activity, and commenced an investigation with the support of third-party cybersecurity professionals. We also notified law enforcement and are supporting its investigation.” reads the data breach notification. “The evidence showed that an unauthorized actor transferred files from our network on December 26, 2025. We reviewed the files involved and, on February 25, 2026, determined that they contained some of your information.”
Eurail B.V. is a Netherlands-based company that manages and sells the Eurail Pass, allowing international travelers to explore Europe by train with a single ticket. Working with dozens of railway and ferry partners, it provides access to more than 250,000 kilometers of rail routes across over 30 European countries, simplifying cross-border rail travel.
In February, Eurail B.V. confirmed that the traveler data stolen in a breach earlier this year were being offered for sale on the dark web. The company disclosed the development as part of its ongoing response to the cybersecurity incident.
“Eurail B.V. has confirmed that certain customer data affected by the previously reported security incident has been offered for sale on the dark web and a sample data set has been published on Telegram.” reads the statement published by the company. “We are continuing to investigate the scope and impact.”
Eurail B.V. confirmed a security breach that led to unauthorized access to customer data, including participants in the European Commission’s DiscoverEU program. The company said it quickly secured its systems and launched an investigation with the help of external cybersecurity and legal experts.
Early findings indicate the breach may involve order and reservation details, basic identity and contact data, travel companion information, and in some cases passport numbers and expiry dates.
“The personal data affected may include data that users have provided (where applicable):
The company pointed out it does not store payment card data or passport copies. The company notified authorities in compliance with the GDPR regulation.
Eurail B.V. said customers whose data may have been accessed or published will be informed directly when contact details are available. They urge vigilance against suspicious calls, emails, or messages requesting personal information and stress that Eurail will never request sensitive data unsolicited. Customers should update their Rail Planner app password, review related email, social media, or banking passwords, monitor accounts for unusual activity, and report any concerns to their bank.
In early March, Eurail said the hacker sold stolen data on the dark web and shared samples on Telegram. The company said it does not store payment data or passport scans and will notify affected customers where possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
