Eurail B.V. revealed that traveler data were stolen in a recent security breach, and are now being sold on the dark web. Eurail B.V. confirmed that the traveler data stolen in a breach earlier this year is now being offered for sale on the dark web. The company disclosed the development as part of its […] Eurail B.V. revealed that traveler data were stolen in a recent security breach, and are now being sold on the dark web. Eurail B.V. confirmed that the traveler data stolen in a breach earlier this year is now being offered for sale on the dark web. The company disclosed the development as part of its ongoing response to the cybersecurity incident. “Eurail B.V. has confirmed that certain customer data affected by the previously reported security incident has been offered for sale on the dark web and a sample data set has been published on Telegram.” reads the statement published by the company. “We are continuing to investigate the scope and impact.” Eurail B.V. is a Netherlands-based company that manages and sells the Eurail Pass, allowing international travelers to explore Europe by train with a single ticket. Working with dozens of railway and ferry partners, it provides access to more than 250,000 kilometers of rail routes across over 30 European countries, simplifying cross-border rail travel. Eurail B.V. confirmed a security breach that led to unauthorized access to customer data, including participants in the European Commission’s DiscoverEU program. The company said it quickly secured its systems and launched an investigation with the help of external cybersecurity and legal experts. Early findings indicate the breach may involve order and reservation details, basic identity and contact data, travel companion information, and in some cases passport numbers and expiry dates. “The personal data affected may include data that you have provided (where applicable): name, surname, date of birth or age, passport/ID information or photocopies, email address, postal address and country of residence, phone number, bank account reference (IBAN), data concerning health.” reads a company update published in January. The company pointed out it does not store payment card data or passport copies. The company notified authorities in compliance with the GDPR regulation. Eurail B.V. said customers whose data may have been accessed or published will be informed directly when contact details are available. They urge vigilance against suspicious calls, emails, or messages requesting personal information and stress that Eurail will never request sensitive data unsolicited. Customers should update their Rail Planner app password, review related email, social media, or banking passwords, monitor accounts for unusual activity, and report any concerns to their bank. Further guidance is available via Eurail’s customer support center. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Eurail)
Published: 2026-02-17T08:54:18