Eurail Confirms Stolen Traveler Data for 300,000 Now on Sale
What began as a security "anomaly" in late 2025 has escalated into a major privacy crisis, as hackers begin offloading sensitive passport and contact information belonging to Interrail and Eurail customers.
UTRECHT, NETHERLANDS — Eurail B.V., the organization behind the popular Interrail and Eurail passes, has confirmed that a significant database breach originally detected in late December has impacted at least 300,000 individuals. While the company initially moved to contain the incident in January, recent monitoring of cybercrime forums reveals that the stolen dataset is now being actively traded and auctioned on the dark web.
The breach involves a wide array of sensitive traveler information. While Eurail has maintained that financial data and passwords were not compromised, the exposed records include full names, email addresses, phone numbers, and — most critically — limited passport details and health-related travel requirements for some users. The unauthorized access was gained through an administrative portal, a vector that has become a recurring theme in major 2026 breaches.
| Who is affected | |
|---|---|
|
DiscoverEU Participants Young travelers using EU-funded passes are a primary demographic in the exposed database. |
International Tourists Non-EU residents using Eurail passes have had travel identity details leaked globally. |
|
Data Protection Authorities EU regulators are investigating the delay between the December breach and the full disclosure of the data sale. |
Privacy Advocacy Groups The exposure of "health data" (travel assistance needs) raises the severity of the GDPR violation. |
The "Slow-Burn" Disclosure
The timeline of the Eurail breach serves as a cautionary tale for incident response teams. The unauthorized access was reportedly identified in December 2025, but the full scale of the 300,000-person impact only became clear weeks later as the stolen data began appearing on "BreachForums."
Hackers initially claimed to have access to millions of records, a figure Eurail has disputed, sticking to the 300,000 figure based on forensic evidence. However, the presence of these records on the dark web increases the risk of "Identity-as-a-Service" (IDaaS) fraud, where criminals use legitimate traveler details to create fraudulent accounts or bypass "Know Your Customer" (KYC) checks on other platforms.
The Health Data Complication
Perhaps the most sensitive aspect of this breach is the exposure of data related to "Special Assistance" requests. This often includes information about physical disabilities or health conditions that require railway staff intervention. Under GDPR, health data is classified as a "Special Category," carrying significantly higher penalties for inadequate protection. The leak of this data not only poses a privacy risk but also a potential safety risk for vulnerable travelers whose routines and physical requirements are now public knowledge.
The CyberSignal analysis
Signal 01 — The Resale Value of "Identity"
This breach proves that you don't need credit card numbers to make a profit on the dark web. High-quality traveler data — complete with passport snippets and contact info — is a "gold mine" for spearphishing and identity theft. For Eurail, the damage isn't just a fine; it’s a loss of trust from an international customer base that relies on them for cross-border transit.
Signal 02 — Administrative Portals as the "Back Door"
Initial reports suggest the breach occurred via a compromised administrative account. This reinforces the "Zero Trust" mandate: no single account, especially one with access to 300,000 records, should be accessible without hardware-based MFA and strict IP-whitelisting.
Signal 03 — The Long Tail of Data Exposure
The fact that this incident is back in the news months after it "happened" highlights the "Long Tail" of data breaches. A breach isn't over when the hole is patched; it's over when the data is no longer useful to criminals — which, in the case of passport info, can take years.
What to do this week
- Monitor for Identity Fraud. If you or your staff have used Eurail/Interrail in the last two years, be hyper-vigilant regarding unsolicited calls or emails that reference your travel history.
- Update Travel Documentation Policies. For corporate travel teams, consider rotating or "refreshing" internal travel records for employees who used these services recently to ensure old "special assistance" notes are removed from active systems.
- Audit "Special Category" Data Access. If your organization collects health or identity data, ensure it is encrypted at rest and that access is logged and alerted upon for any bulk exports.
Sources
| Type | Source |
|---|---|
| Official | European Union (DiscoverEU FAQ) |
| Reporting | The Record |
| Technical | BleepingComputer |
| Analysis | CyberNews |
| Reporting | TechRadar |
| Industry News | RailTech |
