HACKERS breached Eurail in December 2025, stealing names and passport data from its network and exposing personal information for more than 300,000 travellers. The company later notified that 308,777 people were affected, with data described as including names, dates of birth or age, passport or ID information, email addresses, postal addresses, phone numbers, and even bank IBAN details in some cases.
Early findings indicate the breach may have involved order and reservation details and basic identity data, with passport numbers and expiry dates also implicated. In February Eurail confirmed that stolen traveller data were being offered for sale on the dark web, and a sample data set was published on Telegram; the breach notification quoted by the company stated that the unauthorized actor transferred files on 26 December 2025 and that investigators determined their contents on 25 February 2026.
Eurail B.V. said it promptly secured its systems and engaged external cybersecurity and legal experts to assist the investigation, and it noted that it does not store payment card data or passport scans. Customers affected were urged to remain vigilant for suspicious contact and to review related passwords and accounts as the investigation continues, with GDPR notifications being part of the process according to the data breach notification.