Eurail B.V. has confirmed that customer data compromised in a recent security breach has been offered for sale on the dark web, with a sample dataset also published on Telegram.
The Utrecht-based rail pass provider published an update on February 13, 2026, stating that it had identified unauthorized access to its systems that resulted in the exposure of customer data. Following the discovery, Eurail said it immediately moved to secure its infrastructure and launched a forensic investigation with the assistance of external cybersecurity specialists and legal advisors.
While the company has not publicly attributed the attack to a specific threat actor or disclosed technical details about the intrusion method, its investigation has confirmed that some of the accessed data was copied from its database.
Eurail B.V. manages the Eurail and Interrail Pass products, which allow travelers to use a single ticket for rail travel across multiple European countries. The company works with more than 30 railway and ferry companies and serves hundreds of thousands of international travelers annually, including participants in the European Commission’s DiscoverEU initiative, which offers young Europeans free travel passes.
According to Eurail’s preliminary findings, the compromised data may include customer order and reservation details, as well as basic identity and contact information. In cases where it was provided, the exposed records may also contain passport-related data, such as passport numbers, country of issuance, and expiry dates. This information is used to verify pass holder identities during ticket inspections.
The company emphasized that it does not store bank or credit card details for customers who purchase passes directly from Eurail B.V., nor does it retain visual copies of passports. However, it has not yet specified how many individuals are affected.
Eurail has reported the incident to the relevant data protection authority in accordance with the European Union’s General Data Protection Regulation (GDPR). The firm is also notifying other data protection authorities outside the EU where required. Customers whose data may have been accessed and published will be informed directly where contact information is available.
External cybersecurity specialists engaged by Eurail are monitoring dark web forums to track the distribution and potential sale of the data. The company has not disclosed whether it has received any ransom demands or extortion attempts related to the breach.
Given the sensitivity of passport numbers and contact information, affected individuals face potential risks including phishing attacks, identity fraud, and social engineering scams. Eurail is advising customers to remain vigilant against unsolicited communications requesting personal information via phone, email, or text, stressing that it will not request sensitive information through unsolicited contact.
As a precaution, customers are urged to update their Rail Planner app passwords and consider changing the passwords for their email, social media, and banking accounts, particularly if they reuse credentials. Monitoring bank accounts for unusual activity and promptly reporting suspicious transactions to financial institutions is also recommended.
Eurail says further details will be shared as the investigation progresses. In the meantime, customers can consult the company’s support center FAQs or contact its privacy team directly at privacyhelp@eurail.com.
Leave a Reply