Skip to content
Data breachOngoing

Leak at Interrail

A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers — including names, contact details, dates of birth and passport numbers — which by 2026 was being sold on the dark web.

Victim
Interrail
records
308.8K

On 3 May 2026, Interrail — the cross-border rail pass brand operated by the Utrecht-based Eurail B.V. — remained in the spotlight over a data breach affecting roughly 308,000 travellers. An unauthorised party had accessed part of the customer database during a cyberattack in December 2025; Eurail disclosed the incident publicly in January 2026, and by spring 2026 the stolen records were being offered for sale on the dark web.

The intrusion gave attackers access to personal data of people who had bought an Interrail or Eurail pass directly or through associated distributors. Eurail says it does not store images of passports, but the exposed fields are highly sensitive for identity-fraud purposes.

Exposed data categories included:

  • Full name (first and last name)
  • Email address
  • Postal address
  • Phone number
  • Date of birth and gender
  • Passport number, issuing country, issue date and expiry date
  • Travel companion details

Eurail confirmed that the exfiltrated database was put up for sale on the dark web and that a sample dataset was published on Telegram; everyone appearing in that sample was notified directly. The company says it secured its systems, added further safeguards and is investigating with external cybersecurity specialists. Affected travellers were urged to watch for phishing and suspicious account activity, and some passport-holders were even advised to consider replacing their passports. The investigation remains ongoing.

Sources

  1. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/eurail-says-stolen-traveler-data-now-up-for-sale-on-dark-web/
  2. theregister.comhttps://www.theregister.com/2026/01/14/eurail_breach/
  3. next.inkhttps://next.ink/brief_article/interrail-fuite-de-donnees-personnelles-avec-numero-de-passeport-date-dexpiration/
  4. helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/01/15/eurail-interrail-data-breach/

Related incidents

Data breachContained

Data leak at Mingat

On 19 March 2026, French vehicle-rental company Mingat confirmed a data leak affecting its customers, notifying them of a security incident that exposed personal information held in its rental records.

Victim
Mingat
Data breachContained

3,600 Gustave-Auto customers affected by a claimed data leak

Gustave-Auto, a French automotive services platform (vehicle convoyage, fleet management and repairs), disclosed in February 2026 that an access anomaly exposed partner data — names, postal and email addresses, phone numbers, IBAN/BIC banking details and SIRET/VAT numbers — with a tracker claim citing around 3,600 records.

Victim
Gustave-Auto
Records
3.6K