A major cybersecurity incident at Eurail has exposed the personal data of more than 300,000 travelers, raising serious concerns about data protection in global transport systems.
Quick Summary – TLDR:
- Over 308,000 travelers had personal data exposed in a December 2025 breach.
- Passport numbers, names, and contact details were confirmed leaked.
- Hackers claimed to have stolen 1.3 TB of internal data including customer records.
- The breach also impacted participants in the DiscoverEU program.
What Happened?
Eurail confirmed that unauthorized attackers gained access to its systems on December 26, 2025, leading to a large scale data breach affecting hundreds of thousands of users. The company later determined that the stolen files contained sensitive personal information, including names and passport numbers.
Eurail’s data breach in Dec 2025 exposed personal info for 300,000 users, with data appearing on Telegram and the dark web. This rapid exfiltration and resale highlight the critical need for constant external exposure monitoring. Companies can’t afford to be reactive. #DataBreach…
— Ran Geva (@rangeva) April 9, 2026
How the Breach Unfolded?
The breach originated from a network intrusion into Eurail’s IT infrastructure. According to the company, threat actors managed to extract files from internal systems, including cloud storage and customer support platforms such as AWS S3, Zendesk, and GitLab.
By February, a hacker group publicly claimed responsibility, stating they had obtained around 1.3 terabytes of data. This archive reportedly included:
- Customer personal information
- Internal database backups
- Source code and support tickets
The attackers later published a sample dataset on Telegram and attempted to sell the stolen data on dark web forums after alleged negotiations with Eurail failed.
What Data Was Exposed?
Eurail confirmed that at least 308,777 individuals were impacted, including travelers in the United States. The exposed data includes:
- Full names
- Passport numbers and ID details
- Email addresses and phone numbers
- Postal addresses and country of residence
- Dates of birth or age
In some cases, especially linked to the DiscoverEU program, additional sensitive data may have been exposed, such as:
- Bank account references like IBAN
- Passport photocopies
- Health related information
While Eurail stated that it does not store bank card details or passport images in its main systems, warnings from European authorities suggest that such data may still have been compromised through partner systems.
Impact on DiscoverEU Program
The breach had a downstream impact on the DiscoverEU initiative, a program that offers travel passes to young Europeans. Participants in this program appear to have faced deeper exposure due to the type of data collected during enrollment.
This raises concerns about how third party systems and partnerships handle sensitive user data, especially in large scale international programs.
Regulatory Response and Notifications
Eurail has reported the breach to European Union data protection authorities as well as regulators in the United States. The company also filed disclosures with multiple state Attorney General offices.
Affected individuals are now being notified directly, and the company has begun sending written communication outlining the risks and next steps.
What Users Should Do?
Eurail has advised all affected users to take immediate precautions, including:
- Updating passwords for the Rail Planner app and other accounts.
- Monitoring bank accounts for suspicious activity.
- Staying alert to phishing scams that may use stolen personal data.
Security experts warn that the exposure of passport data significantly increases the risk of identity theft and targeted fraud.
SQ Magazine’s Takeaway
I think this breach highlights a growing problem that many people overlook. Travel platforms hold a surprising amount of deep personal data, and when something goes wrong, the impact is massive. What worries me most is not just the breach itself, but how easily this data moved across systems like cloud storage and support platforms.
It also shows that even if a company claims it does not store certain sensitive details, those details can still exist somewhere in the wider ecosystem. For users, this is a reminder to stay alert. For companies, it is a clear signal that data security cannot be treated as a secondary concern anymore.