Eurail confirms stolen customer data offered for sale on dark web following breach

Eurail B.V., a Netherlands-based rail pass operator that manages and sells Eurail and Interrail passes for travel across Europe, has confirmed that customer data stolen in a recent cyberattack is being offered for sale on the dark web. The company also disclosed that a sample of the compromised data has been published on the Telegram messaging platform as it continues to assess the scope and impact of the breach.

The incident stems from a previously disclosed intrusion in which threat actors gained unauthorized access to Eurail’s customer database. The breach exposed sensitive information, including full names, passport details, identification numbers, bank account IBANs, health information and contact details such as email addresses and phone numbers.

Eurail provides access to approximately 250,000 kilometers of European railways through its passes, which are widely used for multi-country travel. The company’s products are especially popular among young European travelers participating in the European Union’s DiscoverEU program.

In its latest update, Eurail stated that it has become aware that the stolen data is being marketed for sale on the dark web and that a sample dataset has been posted publicly on Telegram. The company is continuing its investigation to determine which specific records were compromised and how many customers are affected.

Eurail said it will issue individual notifications to impacted customers once the investigation clarifies the extent of the data exposure. Data protection authorities within the European Union have been notified in line with the General Data Protection Regulation requirements, and authorities outside the EU are expected to be informed as well.

The company urged customers to remain vigilant against potential phishing and scam attempts. It recommended that users update their Rail Planner app passwords and reset credentials on any other platforms where the same login information may have been used. Customers were also advised to closely monitor their bank account activity and report any suspicious transactions to their financial institutions immediately.

To assist affected individuals, Eurail has published a frequently asked questions page and is handling privacy-related inquiries via email at privacyhelp@eurail.com.