Eurail B.V. has confirmed a significant data breach occurring in December 2025 that exposed the personal information and passport details of over 308,000 international train travelers.

Key Points

• Attackers accessed and exfiltrated files from the Eurail network on December 26, 2025.
• The breach compromised names, contact information, reservation details, and passport numbers for 308,777 individuals.
• Stolen data, including participants in the European Commission’s DiscoverEU program, appeared for sale on the dark web and Telegram in February 2026.
• Eurail B.V. confirmed that no payment card information or physical passport scans were stored or accessed during the incident.
• The company has notified law enforcement and is currently working with third-party cybersecurity experts to investigate the scope of the exposure.

Why it Matters

This incident highlights the significant risks associated with centralized travel databases that store sensitive identity information across international borders. Affected travelers face an increased risk of identity theft and targeted phishing attacks, necessitating heightened vigilance regarding their personal financial and digital accounts.