Eurail Breach Accelerates as Millions of Passport Data and IBANs Surface on Dark Web for Sale
A January announcement regarding unauthorized access to Eurail’s database has escalated into a significant identity theft crisis. Attackers have reportedly listed sensitive records of millions of European rail travelers on criminal marketplaces, raising alarms about the potential misuse of this data.
On February 13, Eurail B.V. confirmed that customer data compromised in a previous security breach is now available for purchase on the dark web, with sample datasets also shared on Telegram. This development transforms what was initially a data breach notification into an urgent identity theft situation for potentially millions of travelers across Europe.
Who Were Impacted in the Eurail Breach
The breach affects all customers who have been issued a Eurail pass, as well as those who made seat reservations through the company. This includes individuals who purchased Eurail or Interrail passes via partner channels or distributors. While Eurail has not disclosed the total number of affected individuals, the company operates across 250,000 kilometers of European railways, serving millions of travelers annually.
The compromised data encompasses full names, passport details, ID numbers, bank account IBANs, health information, and contact details such as email addresses and phone numbers. The combination of passport numbers, IBAN bank references, and health data creates a fertile ground for sophisticated identity fraud that can persist for years after the initial exposure.
Customers who acquired travel passes directly from Eurail or Interrail did not have visual copies of their passports stored on the company’s systems. However, this is not the case for those who received passes through the DiscoverEU program, an Erasmus-funded initiative designed to encourage travel across the EU by rail.
The European Commission has confirmed that DiscoverEU travelers may also have had photocopies of their IDs, bank account reference numbers, and health data compromised. The Commission has notified the European Data Protection Supervisor about the breach, adhering to its obligations under applicable data protection laws.
Initial Analysis Overturned
Eurail initially disclosed the breach on January 10, acknowledging that attackers had gained unauthorized access to its customer database. At that time, the company stated it had no evidence that customer data had been misused or publicly disclosed. However, this position changed dramatically with the February 13 update, which confirmed activity related to the sale of data on the dark web.
External cybersecurity specialists engaged by Eurail are actively monitoring dark web forums to track the distribution and potential sale of the compromised data. The company has not disclosed whether it received any ransom demands or extortion attempts related to the breach.
“Can’t Treat Notification as a Compliance Exercise”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, emphasized that once personal data is exposed, the risk shifts from a mere IT incident to ongoing fraud and impersonation. He stated, “Organizations can’t treat notification as a compliance exercise—they need to be clear, specific, and timely so people can take meaningful protective steps.”
Eurail has reported the incident to the relevant data protection authority in compliance with EU GDPR requirements and is also notifying other data protection authorities outside the EU as necessary. The company may face regulatory scrutiny regarding how long it retained sensitive documents, including passport copies and health data.
Eurail has advised customers to update their Rail Planner app account passwords and reset them on any other platforms where they use the same credentials. Customers are encouraged to closely monitor their bank account activity and report any suspicious transactions to their banks immediately.
Criminals may attempt to exploit the stolen data through unexpected or suspicious phone calls, emails, or text messages requesting personal information. Eurail warns customers to never share information with anyone who contacts them unsolicited or claims to represent the company.
Given the sensitivity of exposed passport numbers, IBAN details, and health records, affected travelers face risks beyond typical phishing attempts. Passport data can facilitate identity document fraud, while IBAN numbers enable direct financial targeting. Customers involved in DiscoverEU programs are particularly vulnerable due to the extensive range of data categories potentially compromised.
Affected customers can reach out to Eurail’s privacy team for further guidance on the breach’s impact on their specific accounts.
For further details, refer to the reporting from thecyberexpress.com.
For the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East: Middle East
