Eurail Reports December Data Breach Affecting 300,000 Travelers

EURAIL DATA BREACH IMPACTS 300,000 INDIVIDUALS

1. Overview

• Eurail B.V., a Netherlands-based operator offering Interrail and Eurail passes across 33 national railways, disclosed a December 2025 data breach that affected more than 300,000 individuals.
• The breach exposed a range of personal information belonging to travelers, prompting warnings about possible phishing and identity-related threats.

1. Timeline of Key Events

• December 26, 2025: Unauthorized actor transfers files from Eurail’s network, marking the initial breach event.
• February 25, 2026: Eurail verifies that the compromised files contained some customer information.
• March 27, 2026: Eurail issues breach notification letters to affected individuals, detailing the data involved.
• February 2026 (reported disclosure): Eurail publicly disclosed that attackers gained access to sensitive traveler information after breaching its customer database.
• March 2026 (filing with Oregon’s Attorney General): Eurail confirms the breach impacted 308,777 individuals through an official filing.

1. What Data Was Involved

• Personal identifiers: full names and passport numbers.
• Identification details: ID numbers.
• Financial data: bank account IBANs (where present on affected systems).
• Health information: health data potentially exposed.
• Contact information: email addresses and phone numbers.
• Note: Eurail stated that it did not store financial information or passport copies on the compromised systems; the European Commission later warned that some data (including health information) may have been exposed for DiscoverEU program participants.

1. DiscoverEU and Public Security Warnings

• The data breach raised concerns for DiscoverEU participants who obtained passes through the EU program, with the Commission warning that some personal data, including health information, could have been exposed.
• The Commission’s alert emphasized vigilance against potential scams and phishing tied to the compromised information.

1. Eurail’s Customer Guidance and Security Steps

• Recipients of the breach notification were advised to remain vigilant against phishing and scams.
• Customers were urged to update Rail Planner app passwords and reset passwords on any other platforms where those credentials may have been reused.
• Affected individuals were encouraged to monitor bank account activity and report any suspicious transactions to their bank promptly.

1. Filing and Public Records

• An official breach filing with Oregon’s Attorney General’s office documented the extent of the incident, confirming 308,777 affected individuals.
• The Oregon filing is part of ongoing regulatory and consumer notification obligations following the breach discovery and assessment.

1. Context and Related Security Breaches

• The Eurail incident occurred in a period of heightened awareness around data protection for European digital services.
• Earlier in 2026, authorities confirmed a separate data breach affecting Europa.eu, claimed by a different threat actor, underscoring the broader security challenges facing European online platforms.
• Additional breaches in the region have involved government ministries and other public-facing portals, illustrating a landscape where personal data can be exposed across multiple sectors.

1. Data Security Implications

• The case underscores the split between what is stored on compromised systems (Eurail indicated no stored financial information or passport copies on the breached systems) versus what can be inferred or exposed (passport numbers and other identifiers).
• It highlights how health data, even if not directly stored, may still be at risk due to broader data exposure and cross-system data sharing practices.
• The incident reinforces the importance of robust third-party and internal access controls, timely breach detection, and comprehensive customer notification practices.

1. Impact on Affected Individuals

• More than 300,000 travelers potentially saw their personal information exposed in the December 2025 breach.
• The combination of identity data, contact details, and health information creates a potential for targeted phishing, identity theft, and misrepresentation risks.
• Regulatory filings and notices reflect the seriousness of the exposure and the ongoing need for affected individuals to stay alert for unauthorized activity.

1. Key Takeaways

• Data breaches in travel and mobility platforms can involve a broad set of personal information, extending beyond financial data.
• Timely disclosure, clear communication about the types of data exposed, and concrete guidance for customers are critical components of incident response.
• Regulatory interactions (such as state attorney general filings) play a significant role in documenting the scope and ensuring accountability.

1. Related References

• Data breach notifications and official filings referenced in disclosure letters and regulatory records.
• DiscoverEU and Commission alerts regarding potential data exposure for program participants.
• Broader European security news highlighting contemporaneous incidents affecting other major digital services.

1. Appendix: Data Points and Affected Parties

• Estimated affected individuals: 308,777 (per Oregon AG filing).
• Data categories involved: names, passport numbers, ID numbers, IBANs, health information, emails, phone numbers.
• Known limitations: Eurail indicated that not all sensitive data (e.g., financial documents or passport copies) were stored on compromised systems; however, some data potentially tied to DiscoverEU recipients could have been exposed.