Eurail B.V., a European journey operator that gives digital passes protecting 33 nationwide railways, says attackers stole the private info of over 300,000 people in a December 2025 data breach.
Eurail is a Netherlands-based firm that sells Interrail and Eurail passes for multi-country practice journey throughout Europe, passes which can be additionally accessible to younger Europeans via the EU’s DiscoverEU program.
When it disclosed the incident in February, the corporate stated the attackers gained entry to vacationers’ delicate info, together with full names, passport particulars, ID numbers, checking account IBANs, well being info, and call particulars (e-mail addresses, telephone numbers), after breaching its buyer database.
Eurail additionally warned on the time that the risk actors had revealed a pattern of the stolen information on Telegram and had been trying to promote it on the darkish net.
“The proof confirmed that an unauthorized actor transferred recordsdata from our community on December 26, 2025,” the European practice journey firm stated in breach notification letters despatched to affected people on March 27.
“We reviewed the recordsdata concerned and, on February 25, 2026, decided that they contained a few of your info. The knowledge included your identify and passport quantity.”
The identical day, Eurail revealed in a submitting with the Workplace of Oregon’s Lawyer Basic that the ensuing data breach impacted 308,777 people.
Whereas Eurail stated that it did not retailer monetary info or passport photocopies on the compromised techniques, the European Fee warned in a separate alert that this sort of information (in addition to well being info) might have been uncovered for younger vacationers who acquired a Cross via the DiscoverEU program.
Eurail instructed clients whose info was uncovered within the breach to stay vigilant in opposition to potential phishing assaults and scams, and suggested them to replace their Rail Planner app account passwords and reset them on every other platform the place they’re additionally used.
The corporate added that clients ought to monitor their checking account exercise and report any suspicious transactions to their financial institution as quickly as attainable.
Final month, the European Fee additionally confirmed a data breach after the Europa.eu net platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and offers practitioners with three diagnostic questions for any device analysis.
