A data breach at European rail pass provider Eurail B.V. has compromised the personal information of 308,777 people worldwide. The Eurail data breach began on December 26, 2025, when an unauthorized actor accessed the company’s systems and transferred files containing sensitive customer data. The stolen records have since appeared for sale on the dark web, making this one of the more serious travel-sector breaches in recent memory.
Eurail B.V. is based in Utrecht, the Netherlands, and is jointly owned by more than 35 European railway and ferry companies. It sells Eurail and Interrail passes, which allow travelers to move freely across Europe’s rail network without buying individual tickets. Millions of people use these passes each year, which is exactly what makes the scale of this breach so alarming.
What Data Was Stolen
The exposed information covers a wide range of personal identifiers. Affected individuals may have had their names, dates of birth, passport or ID numbers, email addresses, postal addresses, phone numbers, and bank account references (IBANs) compromised. In some cases, health data was also taken.
Not all affected customers lost the same data. Standard Eurail and Interrail pass holders had text-based records stolen, including passport numbers and expiry dates. But participants in the DiscoverEU program faced a significantly worse exposure. DiscoverEU is an Erasmus+ initiative run by the European Commission, which invites young people to travel across the EU by rail. For these travelers, the breach extended to full passport photocopies and bank account numbers.
The combination of government-issued ID details, financial references, and health records creates serious long-term risk. This type of data can be used for identity fraud, targeted phishing, or financial theft, sometimes years after the initial breach.
How the Breach Unfolded
The attack occurred on December 26, 2025. Eurail detected unusual activity and launched an investigation with the help of external cybersecurity experts. The company confirmed the final scope of the breach on February 25, 2026, and began notifying affected individuals and U.S. state authorities on March 27, 2026.
Breach notices were filed with attorneys general in California, New Hampshire, Oregon, and Vermont. In the United States alone, 308,777 people were confirmed affected, including 242 residents of New Hampshire.
The situation escalated further in February. Eurail confirmed that the stolen data had been offered for sale on the dark web, with a sample dataset published on Telegram. A hacker later claimed responsibility, stating they had taken 1.3 terabytes of data, including database backups, source code, and Zendesk support tickets. The attacker also stated that negotiations with Eurail had broken down, and threatened to release all stolen data publicly if no buyer came forward.
DiscoverEU and the European Commission’s Response
The European Commission issued its own warning to DiscoverEU participants after being informed of the breach. The Commission notified the European Data Protection Supervisor, as required under EU law, and activated its own investigation into the incident.
Eurail communicated directly with affected DiscoverEU travelers on the Commission’s behalf. Both organizations urged participants to stay alert to suspicious contact, monitor their bank accounts, and report any unexpected activity. The Commission emphasized that the breach did not affect travel plans, and passes remain valid and fully operational.
What Eurail Has Done Since
Eurail responded by securing the affected systems and closing the vulnerability that allowed the breach. The company reset access credentials, improved its internal monitoring, and engaged third-party cybersecurity experts to assist with the ongoing forensic investigation. Law enforcement was also notified.
In the United States, Eurail set up a dedicated call center for affected individuals. It can be reached Monday through Friday from 8 a.m. to 8 p.m. Eastern time. For customers outside the US, the company can be contacted at its Utrecht headquarters or via its privacy team directly.
Eurail also reported the incident to the Dutch data protection authority, as required under GDPR. Additional notifications were filed with data protection regulators in other relevant jurisdictions.
What Affected Travelers Should Do Now
Change Your Passwords
Start with the password linked to your Rail Planner app account. Then change passwords for any other account where you used the same credentials, particularly email, banking, and social media accounts.
Watch for Phishing Attempts
Criminals can use stolen data to craft convincing emails or phone calls that appear to come from Eurail, Interrail, or even the European Commission. Be suspicious of any unsolicited contact requesting personal information. Eurail will not ask for sensitive details via unexpected messages.
Monitor Your Financial Accounts
Check your bank statements regularly. If you spot any unfamiliar transactions, report them to your bank immediately. For U.S. residents, you can request free annual credit reports from the three major credit bureaus and place a fraud alert if you suspect misuse.
Report Identity Theft
If you believe your personal data is being misused, report it to the relevant authority in your country. In the United States, that is the Federal Trade Commission at IdentityTheft.gov.
Final Thoughts
The Eurail data breach is a reminder of how much sensitive information travel companies hold, and how severe the consequences can be when that data falls into the wrong hands. Passport numbers, IBANs, and health records are not low-stakes details. For the hundreds of thousands of people affected, the risk of identity fraud could linger for years.
If you received a notification from Eurail or DiscoverEU, treat it seriously. Take the protective steps outlined above, remain skeptical of any unsolicited contact mentioning this breach, and keep monitoring your accounts in the weeks and months ahead.
