Eurail B.V., the operator providing access to 250,000 kilometers of European railways, has confirmed that stolen customer data is now for sale on the dark web, including passport details, bank account numbers, and health information.
What was stolen
The compromised data includes extremely sensitive information:
- Full names of travelers
- Passport and ID numbers
- IBANs (bank account numbers)
- Health information
- Emails and phone numbers
- Additional data from DiscoverEU (Erasmus+) program participants
The scale of the attack
According to SecurityWeek analysis, the databases offered for sale contain between 50,000 and 17 million records. The hackers published data samples on Telegram and threatened to release everything if they don't find a buyer.
The hacking group also stated that negotiations with Eurail failed, suggesting the company refused to pay a ransom.
Attack timeline
- January 10: Eurail publicly acknowledges the security breach
- January - February: Breach notification emails sent to affected customers
- February 13: Eurail confirms data is appearing for sale on the dark web
- February 17: Hackers threaten to release all data if no buyer is found
Who is at risk
If you ever purchased a Eurail Pass, Interrail Pass, or participated in the DiscoverEU Erasmus+ program, your data may be compromised. The European Commission confirmed that DiscoverEU participants may have had additional data leaked, including passport photocopies.
What to do now
- Change your password on the Rail Planner app immediately
- Update passwords for your email, social media, and online banking (especially if you reuse passwords)
- Monitor your bank account for suspicious activity
- Enable transaction alerts with your bank
- Watch out for phishing: hackers can send convincing fake emails using your personal data
- Consider a credit freeze if your passport or ID was compromised
