Eurail B.V. Data Breach: Over 300,000 Users’ Information Stolen

Eurail B.V., a Netherlands-based travel operator that provides digital passes covering 33 national railways, has confirmed that attackers stole the personal information of 308,777 individuals in a data breach that occurred in December 2025.

The company, which is owned by more than 35 European railway and ferry companies, notified U.S. Regulators in April 2026 regarding the incident. The breach involved an unauthorized actor transferring files from the company’s network on December 26, 2025.

Scope of Compromised Data

The stolen data includes a wide array of sensitive personal information. According to disclosures, the attackers gained access to travelers’ full names, passport details, identification numbers, and contact details, including phone numbers and email addresses.

The breach also exposed financial and health-related information. Specifically, bank account International Bank Account Numbers (IBANs) and health information were among the data points compromised after the attackers breached the customer database.

While Eurail stated that it did not store passport photocopies or financial information on the compromised systems, the European Commission issued a separate alert. The commission warned that health information and passport data may have been exposed for young travelers who received passes through the DiscoverEU program.

Threat Actor Activity and Dark Web Sales

The stolen information has been actively targeted for sale. A spokesperson for Eurail confirmed that data copied during the security incident has been offered for sale on the dark web and a sample dataset has been published on Telegram.

In February 2026, a hacker claimed responsibility for the attack and asserted that they had stolen 1.3 terabytes of data. This larger dataset reportedly included database backups, source code, and Zendesk support tickets.

The threat actor claimed that Eurail declined to negotiate, which prompted the decision to go public with the theft and release samples of the data.

Timeline of Discovery and Notification

The process of identifying and notifying affected users spanned several months. Eurail first disclosed the incident in January 2026, warning customers who had been issued a Eurail pass that they might have been affected.

On February 25, 2026, the company determined that the files transferred during the December 26 intrusion contained specific user information, including names and passport numbers.

Eurail subsequently sent breach notification letters to affected individuals on March 27, 2026. These notifications were sent to victims in several U.S. States, including California, Texas, and Oregon.

The company further detailed the impact in a filing with the Office of Oregon’s Attorney General on February 25, 2026, specifying the total number of impacted individuals as 308,777.

Regulatory Response and Mitigation

Eurail has reported the security incident to European Union data protection authorities as well as other regulatory agencies outside the EU.

To protect their accounts, the company urged customers to change the passwords associated with their Rail Planner app. Eurail also advised users to be wary of any unsolicited contact requesting personal information.

The company has declined to share additional technical details related to how the systems were breached, though it confirmed that the unauthorized file transfer took place on the final day of December 2025.