Eurail Data Breach Exposes Passports and Bank Details of International Travelers

Eurail B.V., the operator of the Interrail pass, reports a data breach that exposed sensitive passenger information. The company, headquartered in Utrecht, Netherlands, detected the unauthorized access on January 10, 2026. 

Attackers broke into the company's IT systems and accessed databases containing personal and travel records, exposing customers who purchased passes directly and participants in the European Commission's DiscoverEU program.

Eurail does not typically store copies of passports images for direct buyers, but the DiscoverEU initiative, funded by Erasmus+, required more extensive documentation which may have been part of the breached data. The compromised data includes:

• First and last names
• Dates of birth and genders
• Email addresses, home addresses, and telephone numbers
• Passport numbers, issuing countries, and expiration dates
• Photocopies of identity documents (DiscoverEU participants)
• Bank account reference numbers and IBANs (DiscoverEU participants)
• Health-related data (DiscoverEU participants)

The number of affected individuals is not disclosed.

The European Commission issued a formal notice regarding the incident, warning that the scope of stolen data for these young travelers is broader than for standard customers. 

Technical analysis indicates that the attackers exploited a vulnerability within Eurail's infrastructure. The company stated it has since "closed the vulnerability" and reset internal credentials to prevent further access.

Eurail reported the incident to the Dutch Data Protection Authority in compliance with GDPR. The company advised all users to change their passwords, especially if they reuse them across other platforms. While there is currently no evidence of data misuse, the potential for phishing, spoofing, and identity theft remains high. The total number of affected individuals and the financial impact of the breach have not been disclosed.

Update - as of 16th of February 2026, Eurail B.V., confirmed that data stolen in the breach is being offered for sale on the dark web. The company said that a threat actor also published a sample of the data on the Telegram messaging platform. The company is still trying to determine the type of records and number of customers affected. 

As of 6th of April 2026, Eurail B.V. reports a data breach from December 2024 affecting nearly 309,000 individuals, in which hackers accessed and copied personal data from the company's systems. The stolen data has since been offered for sale on the dark web and partially published on Telegram.