Europe’s iconic rail pass is facing a different kind of journey after hackers threatened to auction off what they claim is 1.3TB of passenger data.
After Eurail released a notice about a data breach, threat actors have been circulating threats to publish stolen passengers’ data online. In a recent post on a well-known cybercrime forum, the threat actor claimed to have 1.3TB of the company’s data.
According to the claims, the data comes from Eurail’s AWS S3, Zendesk, and GitLab. The attackers have also claimed to have personally identifiable information (PII) of millions of Eurail’s customers.
Attackers say Eurail is not collaborating
“The company has stopped negotiations, so we will make it public,” the attackers threatened, directing anyone interested to their Telegram channel.
However, on the channel, the attackers are trying to sell the stolen dataset to the biggest bidder. If the one doesn’t come forward, they once again claim that the data will be publicly released.
The attackers claim that the total number of lines of raw data in the stolen dataset is 100 million. To back up their claims, they uploaded several data samples to their Telegram channel, which our Cybernews research team has investigated.
The samples contained an alleged inventory of files in the threat actors’ possession, including their data columns and 50 entries from each of five listed files. Portions of the data appear to be around five years old, while other records date to late 2025.
Samples from the files include:
- Full names
- ID document numbers
- Addresses
- Contact information
- Dates and places of birth
- Purchased Eurail/InterRail pass details
“We cannot be sure about the size of the full dataset, since these samples are a pretty small number-wise. Impact for the affected people is a pretty serious risk of identity theft, fraud, and social engineering attacks,” Cybernews researchers explained.
Eurail admitted a “data security incident”’
In the notice initially released in January, Eurail claims that a “data security incident” within its Interrail systems resulted in unauthorized access to customer data.
“Our early review suggests that the data accessed may include customer order and reservation information, including basic identity and contact details, as well as, where applicable, information relating to travel companions,” the company wrote.
They also admitted that in some cases, passport information might have been stolen. Such information includes the passport number, country of issuance, or expiry date, which is used by ticket inspectors to confirm the Pass holder's identity.
On February 13th, the company released an update acknowledging recent threats from attackers.
“Eurail B.V. has confirmed that certain customer data affected by the previously reported security incident has been offered for sale on the dark web, and a sample data set has been published on Telegram. We are continuing to investigate the scope and impact,” the update reads.
According to Eurail, there’s currently no evidence that the data has been misused or publicly disclosed. The number of affected customers remains unclear at this time.
Eurail advises victims to change the passwords for their email, social media, and banking accounts. The company also recommends staying vigilant for phishing attempts and closely monitoring any unusual transactions in their bank account.
Eurail B.V. is a Netherlands-based company that manages and sells the Eurail Pass, enabling international travelers to explore Europe by train with a single ticket.
Working with dozens of railway and ferry partners, the company provides access to more than 250,000 kilometers of rail routes across over 33 European countries. In 2024, the company reported record growth, surpassing 1.2 million Eurail and Interrail Passes sold worldwide.
Eurail customers outraged
After information about the breach came to light, anger and skepticism quickly surfaced on Reddit, where Eurail customers pressed the company for accountability.
“They should give me a free pass next time as compensation,” one user wrote.
So, where is the compensation?” another asked.
Some demanded greater transparency about the scope of the exposure.
“I'd like to know who accessed my data, at least which country or region, and demand some form of compensation,” a Redditor wrote, calling for clarity and pressing for more detailed disclosure.
For some, the concern was deeply personal.
“I'm obviously very concerned now because, like others here, ALL my key data has been stolen in one go, with the passport details being the biggest worry. I'm wondering whether we should cancel our passports and order replacements,” one user said, highlighting fears over identity misuse.
Others criticized what they described as limited guidance.
“What are we supposed to do now? They did not provide any guidance besides ‘watch out for phishing emails!’ Seriously? This is incredibly concerning.”
The incident also prompted broader reflections on data hygiene.
“It's a sad reminder to delete personal data via GDPR requests after using such services,” another Redditor noted.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked