Leak at Eurail
In January 2026, Eurail B.V. — operator of the Interrail and Eurail rail-pass schemes — disclosed a data breach exposing personal and passport details of customers, with up to ~309,000 travellers reportedly affected and stolen data later offered for sale on the dark web.
- Victim
- Eurail
On 13 January 2026, Eurail B.V. — the Netherlands-based operator of the Interrail and Eurail rail-pass schemes used by travellers across Europe — began notifying customers of a data breach in which attackers gained unauthorised access to its systems and exfiltrated personal information. Eurail acknowledged the incident on 10 January and started sending notification emails on 13 January.
The company said it secured the affected systems, closed the exploited vulnerability, reset credentials, and brought in external cybersecurity specialists to monitor the situation; it did not publicly disclose the specific attack vector. The breach was reported to the Dutch data protection authority under the GDPR. Press reporting put the number of potentially affected people at roughly 309,000 travellers who had booked an Interrail or Eurail pass directly or via associated distributors, though Eurail itself did not confirm a figure.
Data reported as exposed includes:
- Name, date of birth and gender
- Email address, home/postal address and phone number
- Passport or ID number, country of issue and expiry date
- For DiscoverEU (Erasmus+) participants: bank account number (IBAN), passport/ID photocopies and some health-related data
Although Eurail initially said there was no evidence the data had been misused or published, it later confirmed that a set of the stolen data had been offered for sale on the dark web and a sample published on Telegram. Affected customers were advised to watch for phishing and scams, change passwords across all accounts, and — in some cases — consider replacing their passports.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-13-eurail-interrail
- theregister.comhttps://www.theregister.com/2026/01/14/eurail_breach/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/01/15/eurail-interrail-data-breach/
- securityweek.comhttps://www.securityweek.com/traveler-information-stolen-in-eurail-data-breach/