Eurail data breach impacted more than 308,000 U.S.-based travellers

Eurail B.V. informed U.S. regulators this week that a major data breach that occurred between December and January compromised the names and passport numbers of more than 308,000 U.S. individuals. 

 

Eurail B.V., a Netherlands-based rail pass operator that manages and sells Eurail and Interrail passes for travel across Europe, announced in January that it suffered a network security breach which gave third parties unauthorised access to its data. 

 

Though the unauthorised access was quickly terminated, an investigation into the incident revealed that threat actors had successfully exfiltrated customer order and reservation information, including basic identity and contact details, passport numbers, country of issuance or expiry dates. Eurail said at the time that it was in the process of identifying the total number of affected travellers.

 

The investigation also found that the threat actors had offered the stolen data for sale on the dark web and published a sample of the stolen data on Telegram as proof of their malicious activity. 

 

Earlier this week, the Utrecht-based company sent data breach notices to the offices of the Attorney Generals of Texas, California, Oregon, New Hampshire and Vermont, stating that the data breach incident, spanning between December 25 and January 8, compromised the personal information of 308,777 individuals in the United States. 

 

In its letters addressed to affected individuals residing in the U.S., Eurail said that it was able to determine on February 25 that the exfiltrated information contained their names and passport numbers. "We wanted to notify you of this incident and assure you that we take it seriously. To help prevent something similar in the future, we have taken steps to enhance our existing security measures," the company said.

 

Aside from U.S. residents, the data breach also impacted a large number of individuals who used the DiscoverEU programme to obtain free travel passes to explore Europe for a maximum of thirty days. In 2025, the European Commission released over 71,500 DiscoverEU travel passes across Spring and Autumn rounds, and more than 40,000 free travel passes have already been announced for 2026.

 

The European Union said in January that the Eurail data breach compromised a variety of personal information of individuals who used the DiscoverEU programme to obtain tickets. These included full names, dates of birth, passport information, email addresses, postal addresses, health data, bank account details and country of residence.