Data Breaches

Eurail Breach Exposes 308,777 Passport Numbers After Christmas Attack

April 10, 2026 / 4 Min Read

Eurail B.V. confirmed that attackers breached its network on 26 December 2025 and stole passport numbers and personal data belonging to 308,777 travellers. The Dutch company which operates Europe’s rail pass system disclosed the incident three months later after discovering the stolen data was being sold on the dark web and sample datasets had appeared on Telegram.

The stolen data includes names, passport numbers with expiry dates, email addresses, phone numbers and travel companion information. For participants in the European Commission’s DiscoverEU programme, which offers free rail passes to young Europeans, the exposure is worse. The European Commission confirmed that DiscoverEU participants may have lost passport photocopies, bank account IBANs and health information because that programme requires deeper data collection than standard bookings.

Eurail operates Europe’s largest rail network integration, selling passes that cover 33 national railways across more than 30 countries. It processes millions of bookings annually and stores customer data across AWS S3, Zendesk and GitLab systems, all of which were compromised in this attack. It is reported that the attackers claimed to have exfiltrated 1.3 terabytes of data.

The Timeline Shows a Three-Month Delay

Eurail’s response timeline raises questions about detection capabilities. The company says files were transferred on 26 December 2025, but it only completed its assessment of the compromised data on 25 February 2026. Customer notifications began a month later on 27 March 2026, nearly three months after the initial breach.

During February, threat actors posted sample data on Telegram and began advertising the full dataset on dark web marketplaces. The Record confirmed that hackers claimed the stolen archives included source code, database backups and Zendesk support tickets alongside the customer records. The European Commission was forced to issue its own warning to DiscoverEU participants after Eurail’s disclosure.

Eurail filed breach notifications with attorneys general in California, New Hampshire, Oregon and Vermont. The company has not disclosed whether a ransom demand was made or paid.

DiscoverEU Participants Face Deeper Exposure

The DiscoverEU programme, funded through Erasmus+, requires participants to submit passport photocopies, bank details and health information for accessibility assessments. Standard Eurail customers had only names and passport numbers stolen but DiscoverEU participants lost the full range of identity documents that enables sophisticated fraud.

The European Commission published detailed guidance for affected DiscoverEU users, warning that “criminals may attempt to misuse your data, for example for identity theft or to impersonate you or access other accounts.” The Commission has notified the European Data Protection Supervisor and is providing direct support to affected participants through a dedicated email address.

This segmented exposure pattern is unusual, most breaches affect all customers equally. Shieldworkz analysis suggests the attackers specifically targeted the DiscoverEU data repository because it contained higher-value identity documents than standard bookings.

What Eurail Customers Need to Do

Change your Rail Planner app password immediately. If you used the same password on other accounts, change those as well. The combination of passport numbers and contact details makes targeted phishing attempts highly credible, so scrutinise any email or call claiming to be from Eurail or transport authorities over the next year.

Monitor bank and credit card statements for unusual activity. DiscoverEU participants should consider placing fraud alerts with credit reference agencies given the exposure of bank account details and passport photocopies. The data stolen is sufficient for identity theft and fraudulent account opening attempts.

Anyone who suspects fraudulent use of their data should report it to their national data protection authority and local law enforcement. Eurail has established a customer support centre for affected travellers, though the company’s three-month delay in notification suggests their incident response procedures need review.