Eurail says December breach exposed data of more than 300,000 travelers
5 min. read 
Published on
Eurail says a December 2025 data breach exposed customer data, and follow-up reporting now puts the impact at 308,777 individuals. The company has confirmed that attackers copied data from its customer database and that some of the stolen information later appeared in a sample posted on Telegram and was offered for sale on the dark web.
The breach matters because Eurail handles Interrail and Eurail passes used across Europe, including passes tied to the EU’s DiscoverEU program. That means the incident did not just affect regular rail travelers. It also touched young travelers who received passes through an EU-backed initiative.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
For affected customers, the immediate risk is not only spam or nuisance contact. Eurail and the European Commission both warn about phishing, spoofing, unauthorized access attempts, and identity theft, especially because passport or ID details may be involved.
What Eurail has confirmed so far
Eurail’s updated incident notice says an unauthorized party accessed customer data and that its investigation has concluded. The company says it is contacting affected customers directly where contact details are available and that it has reported the incident to data protection authorities under GDPR and to other authorities outside the EU where required by law.
The company also says it does not store bank or credit card information for customers who bought passes directly from Eurail, and it does not keep a visual copy of their passport. That point is important because some early reports grouped all potentially exposed data together, while Eurail’s own statement narrows what it says it stores for direct customers.
At the same time, the European Commission’s DiscoverEU notice says affected data for DiscoverEU travelers may include name, surname, date of birth or age, passport or ID details or photocopies, email address, postal address, phone number, IBAN, and health data. That suggests the scope may differ depending on how the traveler received the pass.
How many people were affected
Eurail’s public incident page does not list a total number of victims. However, multiple reports citing Eurail’s filing with the Oregon Attorney General say the breach affected 308,777 individuals. That figure appears to be the clearest public count available right now.
The company’s own timeline shows that it updated its public statement on March 9, 2026, after completing its investigation. Reporting on the notification process says affected individuals received letters dated March 27, 2026, several months after the December 26, 2025 data transfer identified by Eurail.
That gap raises obvious questions about disclosure timing, but Eurail’s official statement does not explain the delay in detail. It says only that the investigation had to conclude before the company could identify which customers’ personal data had been accessed and copied.
What travelers should do now
Eurail tells customers to update their Rail Planner app password and consider changing passwords tied to email, social media, and banking accounts. It also urges customers to watch for suspicious calls, emails, or text messages and to monitor bank accounts for unusual activity.
The European Commission gives similar advice to DiscoverEU travelers. It says they should stay alert for suspicious messages, avoid sharing personal information with new contacts linked to the program unless they can verify authenticity, and report unusual bank activity immediately.
Anyone affected should also treat passport and ID details as high-risk data. Unlike a password, you cannot quickly rotate a passport number, so phishing attempts that include accurate travel or identity details may look more convincing than usual. This last point is an inference based on the exposed data categories and the risks listed by Eurail and the Commission.
Breach details at a glance
| Item | What we know |
|---|---|
| Company | Eurail B.V., operator of Eurail and Interrail passes |
| Incident date | Unauthorized file transfer on December 26, 2025 |
| Public update | March 9, 2026 |
| Reported affected count | 308,777 individuals |
| Confirmed risks | Phishing, spoofing, unauthorized access, identity theft |
| Data possibly exposed | Names, passport/ID details, contact data, and for some DiscoverEU users possibly IBAN and health data |
Sources: Eurail incident statement, European Youth Portal, and reports citing state breach filings.
What stands out in this case
- Eurail says copied data was offered for sale on the dark web and a sample was posted on Telegram.
- The breach affected not only paying customers but also some DiscoverEU participants.
- Eurail says direct customers’ stored data did not include bank or credit card details or passport images.
- The European Commission says DiscoverEU-related records may have included more sensitive fields, including IBAN and health data.
FAQ
Yes. Eurail says it suffered a security breach that led to unauthorized access to customer data and that copied data was later offered for sale online.
Eurail’s public page does not state a number, but reporting based on a filing with the Oregon Attorney General says 308,777 individuals were affected.
That depends on the traveler group. Eurail says direct-customer data that was accessed and copied could include customer information from its database, while the European Commission says DiscoverEU-related data may include passport or ID information, contact data, IBAN, and health data.
Eurail says it does not store bank or credit card information for customers who bought their pass directly from Eurail, and it does not keep a visual copy of their passport.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages