Skip to content
Data breachContained

Leak at Eurail

In January 2026, Eurail B.V. — operator of the Interrail and Eurail rail-pass schemes — disclosed a data breach exposing personal and passport details of customers, with up to ~309,000 travellers reportedly affected and stolen data later offered for sale on the dark web.

Victim
Eurail

On 13 January 2026, Eurail B.V. — the Netherlands-based operator of the Interrail and Eurail rail-pass schemes used by travellers across Europe — began notifying customers of a data breach in which attackers gained unauthorised access to its systems and exfiltrated personal information. Eurail acknowledged the incident on 10 January and started sending notification emails on 13 January.

The company said it secured the affected systems, closed the exploited vulnerability, reset credentials, and brought in external cybersecurity specialists to monitor the situation; it did not publicly disclose the specific attack vector. The breach was reported to the Dutch data protection authority under the GDPR. Press reporting put the number of potentially affected people at roughly 309,000 travellers who had booked an Interrail or Eurail pass directly or via associated distributors, though Eurail itself did not confirm a figure.

Data reported as exposed includes:

  • Name, date of birth and gender
  • Email address, home/postal address and phone number
  • Passport or ID number, country of issue and expiry date
  • For DiscoverEU (Erasmus+) participants: bank account number (IBAN), passport/ID photocopies and some health-related data

Although Eurail initially said there was no evidence the data had been misused or published, it later confirmed that a set of the stolen data had been offered for sale on the dark web and a sample published on Telegram. Affected customers were advised to watch for phishing and scams, change passwords across all accounts, and — in some cases — consider replacing their passports.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-13-eurail-interrail
  2. theregister.comhttps://www.theregister.com/2026/01/14/eurail_breach/
  3. helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/01/15/eurail-interrail-data-breach/
  4. securityweek.comhttps://www.securityweek.com/traveler-information-stolen-in-eurail-data-breach/

Related incidents

Data breachOngoing

Leak at Interrail

A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers — including names, contact details, dates of birth and passport numbers — which by 2026 was being sold on the dark web.

Victim
Interrail
Records
308.8K
Data breachContained

Data leak at Mingat

On 19 March 2026, French vehicle-rental company Mingat confirmed a data leak affecting its customers, notifying them of a security incident that exposed personal information held in its rental records.

Victim
Mingat