Eurail Confirms Scope of December 2025 Cyberattack
Eurail B.V., a Netherlands-based travel operator that provides digital rail passes covering 33 national railways across Europe, has confirmed that a data breach originating in December 2025 compromised the personal information of more than 300,000 people. The company sells both Interrail and Eurail passes for multi-country train travel, and its services are also accessible to young Europeans through the European Union's DiscoverEU initiative.
In breach notification letters sent to affected individuals on March 27, 2026, the company stated:
"The evidence showed that an unauthorized actor transferred files from our network on December 26, 2025. We reviewed the files involved and, on February 25, 2026, determined that they contained some of your information. The information included your name and passport number."
What Data Was Exposed
When Eurail first publicly disclosed the incident in February 2026, the company revealed that attackers had breached its customer database and made off with a range of sensitive personal data. The compromised information reportedly included:
- Full names
- Passport details and ID numbers
- Bank account IBANs
- Health information
- Contact details, including email addresses and phone numbers
Despite the breadth of this disclosure, Eurail clarified that it did not store financial information or photocopies of passports on the systems that were compromised. However, the European Commission issued a separate warning noting that health information and other sensitive data may have been exposed specifically for young travelers who received a pass through the DiscoverEU program.
Scale Confirmed in Oregon Attorney General Filing
On the same day that Eurail sent notification letters to affected customers, the company filed a report with the Office of Oregon's Attorney General officially confirming the breach affected 308,777 individuals. This figure establishes the full known scope of the incident.
Stolen Data Offered for Sale on Dark Web
Eurail also warned at the time of its initial February disclosure that the threat actors responsible for the breach had published a sample of the stolen data on Telegram and were actively attempting to sell the full dataset on the dark web. The identity of the attackers has not been publicly confirmed by Eurail.
Guidance for Affected Customers
Eurail has urged all customers whose data may have been exposed in the breach to take several precautionary steps to protect themselves from follow-on attacks and fraud. The company's recommendations include:
- Remaining vigilant against phishing attempts and social engineering scams that may use the stolen data
- Updating passwords for Rail Planner app accounts immediately
- Resetting those passwords on any other platform where the same credentials are in use
- Closely monitoring bank account activity for suspicious or unauthorized transactions
- Reporting any unusual financial activity to their bank as soon as possible
Broader Context: European Institutions Under Attack
The Eurail breach is part of a broader wave of cyberattacks targeting European organizations and institutions. Last month, the European Commission confirmed its own data breach after the Europa.eu web platform was compromised in a cyberattack claimed by the ShinyHunters extortion gang. The back-to-back incidents involving high-profile European entities underscore growing concerns about the cybersecurity posture of organizations handling large volumes of citizen and traveler data across the continent.
Eurail has not publicly disclosed the attack vector used by the threat actors to gain initial access to its network, nor has it indicated whether any individuals or groups have been identified in connection with the December 26, 2025 intrusion. Affected individuals are encouraged to monitor official communications from Eurail and take immediate action to secure their accounts and personal information.
Source: BleepingComputer