Over 300,000 travelers affected by Eurail data breach
Over 300,000 tourists have been affected by a data breach at European train travel company Eurail B.V. Some of the data is up for sale.
In January, Eurail announced that it had suffered a security incident across Interrail, Eurail, and the EU’s DiscoverEU program in December 2025.
An unknown threat actor managed to gain access to the company’s customer database and was able to exfiltrate personal information, including names, email addresses, phone numbers, home addresses, dates of birth, and in some cases, passport/ID copies, bank account numbers (IBANs), and health data.
Eurail launched an investigation to determine the scope of the incident and the potential impact on customers. The incident was also reported to the relevant data protection authorities and affected customers.
The number of victims who were impacted by the data breach remained unknown for a long time.
Recently, Eurail reported to the Oregon Department of Justice that the personal information of 308,777 travelers was exposed.
In an update regarding the security incident, Eurail disclosed that some of the stolen data was offered for sale on the dark web and had been published on Telegram.
“Preventing and mitigating any potential negative consequences for our customers is our highest priority. We encourage customers to remain vigilant for any suspicious or unexpected communications requesting personal information, including phone calls, emails, or text messages,” Eurail added to its update.
In addition, victims are advised to change passwords associated with their email addresses, social media accounts, and banking accounts. Furthermore, affected customers were told to be vigilant for phishing attempts and closely monitor any unusual transactions in their bank accounts. If any of their personal information appeared to be used maliciously, they should report this to the authorities.
Unlock more exclusive Cybernews content on YouTube.
