Eurail Breach Exposes 300K Travelers' Data

Cyber Threat Intelligence is reporting that Eurail B.V., the European travel operator behind the popular Interrail and Eurail passes, suffered a significant data breach in December 2025. According to the source, attackers exfiltrated personal information belonging to over 300,000 individuals. The compromised data reportedly includes full names, passport details, ID numbers, bank account IBANs, health information, and contact details.

Cyber Threat Intelligence notes that Eurail disclosed the incident in February 2026, stating that the unauthorized actor transferred files from their network on December 26, 2025. A sample of the stolen data was allegedly posted on Telegram, with the threat actors attempting to monetize it on the dark web. Eurail’s breach notification letters, sent on March 27, confirmed that files containing names and passport numbers were transferred, impacting 308,777 individuals as per a filing with the Oregon Attorney General’s office. While Eurail claims it did not store financial details or passport photocopies on compromised systems, the European Commission has issued separate alerts regarding the potential risks of such exposed data.