Hackers Breach Eurail’s Internal Network, Steal Customer Data

Eurail B.V., a ticket management company, reported a significant data security breach in which threat actors gained unauthorised access to its internal network and exfiltrated customer data.

 

Eurail B.V. manages and sells Eurail and Interrail passes, which provide flexible, multi-country train and ferry travel across Europe. The passes are designed for non-European residents (Eurail) and European residents (Interrail), offering access to an extensive transport network through a single ticket. Headquartered in Utrecht, the Netherlands, the company is owned by more than 35 European rail and ferry operators.

 

In a data security incident notice published on its website, Eurail said that it recently identified a data security incident where threat actors infiltrated its internal network and accessed customer data. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to secure the affected systems and notified relevant law enforcement authorities about the incident.

 

While the investigation is still ongoing, early review suggests that the compromised data included customer order and reservation information, including basic identity and contact details, passport numbers, country of issuance or expiry dates.

 

“The ongoing investigation will need to provide more information about the precise categories of personal data which are involved and, where technically possible, to what extent personal data has also been copied from our customer database,” Eurail said.

 

In line with European Union GDPR obligations, the incident has been reported to the competent data protection authority. Eurail is currently in the process of notifying all other relevant data protection authorities outside the EU.

 

“There is currently no evidence that the data has been misused or publicly disclosed. This is consistently being monitored by external cybersecurity specialists.

 

“Customers whose data may have been accessed will be informed directly where contact details are available to us. We take the security of our customers’ information seriously and regret any concern this incident may cause,” Eurail added.