Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
Published
Key Takeaways
- Massive data theft: The December Eurail data breach exposed the personal information and passport numbers of 308,777 international travelers.
- Dark web exposure: Hackers published a sample dataset on Telegram after copying 1.3 TB of sensitive internal files and customer records.
- Downstream partner impact: This European train travel breach also severely affected the DiscoverEU program, compromising participant bank accounts and passport photocopies.
European transportation network provider Eurail B.V. recently confirmed that the December breach compromised the personal information of at least 308,777 travelers in the U.S., including those in the Erasmus+ program DiscoverEU. Eurail has formally reported the incident to European Union data protection authorities and global regulatory agencies to manage the fallout of this European train travel breach.
Passport Numbers Leaked
The December Eurail B.V. breach occurred on December 26, when unauthorized threat actors infiltrated the IT infrastructure of the Netherlands-based organization managing cross-border rail passes for 35 European railway operators.
Following the network intrusion, the company filed official data breach notifications with U.S. state regulators, confirming that passport numbers leaked alongside full customer names for at least 308,777 people in the United States, including 242 residents in New Hampshire.
Program administrators warned in January that the breach exposed extensive personal profiles, including:
- name,
- surname,
- date of birth or age,
- passport/ID information or photocopies,
- email address,
- postal address,
- country of residence,
- phone number,
- bank account reference (IBAN),
- data concerning health.
By February, the responsible hacker group claimed to possess 1.3 terabytes of AWS S3, Zendesk, and Gitlab data. This archive reportedly includes proprietary source code, database backups, and Zendesk support tickets, as well as PII for millions of customers, including full names, dates of birth, phone numbers, email addresses, addresses, passport/ID card information, and more.
Protecting Customer Data Security
The exposure of highly sensitive documents raises critical concerns regarding customer data security across global transit systems. The threat actors subsequently offered the stolen archives for sale on dark web forums and published a sample dataset on Telegram to verify their claims, according to an update from Eurail B.V. published in March.
To mitigate ongoing customer data security risks, Eurail strongly advises all travelers to update their Rail Planner application passwords immediately. Affected individuals must remain vigilant against targeted phishing attempts leveraging the stolen passport details and financial records.
Earlier this month, a compromise of a third-party customer support provider led to a Hims & Hers data breach. In November 2025, Scattered Lapsus$ Hunters impersonated Zendesk in a phishing campaign.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular