Eurail B.V., a Eu shuttle operator that gives virtual passes overlaying 33 nationwide railways, says attackers stole the non-public knowledge of over 300,000 folks in a December 2025 knowledge breach.
Eurail is a Netherlands-based corporate that sells Interrail and Eurail passes for multi-country educate shuttle throughout Europe, passes which can be additionally to be had to younger Europeans during the EU’s DiscoverEU program.
When it disclosed the incident in February, the corporate stated the attackers won get admission to to vacationers’ delicate knowledge, together with complete names, passport main points, ID numbers, checking account IBANs, well being knowledge, and speak to main points (e mail addresses, telephone numbers), after breaching its buyer database.
Eurail additionally warned on the time that the danger actors had revealed a pattern of the stolen knowledge on Telegram and had been making an attempt to promote it at the darkish internet.
“The proof confirmed that an unauthorized actor transferred recordsdata from our community on December 26, 2025,” the Eu educate shuttle corporate stated in breach notification letters despatched to affected folks on March 27.
“We reviewed the recordsdata concerned and, on February 25, 2026, decided that they contained a few of your knowledge. The guidelines integrated your identify and passport quantity.”
The similar day, Eurail printed in a submitting with the Administrative center of Oregon’s Legal professional Basic that the ensuing knowledge breach impacted 308,777 folks.
Whilst Eurail stated that it did not retailer monetary knowledge or passport photocopies at the compromised techniques, the Eu Fee warned in a separate alert that this sort of knowledge (in addition to well being knowledge) can have been uncovered for younger vacationers who gained a Cross during the DiscoverEU program.
Eurail instructed consumers whose knowledge used to be uncovered within the breach to stay vigilant towards possible phishing assaults and scams, and urged them to replace their Rail Planner app account passwords and reset them on another platform the place they are extensively utilized.
The corporate added that consumers must track their checking account task and file any suspicious transactions to their financial institution once conceivable.
Final month, the Eu Fee additionally showed an information breach after the Europa.european internet platform used to be hacked in a cyberattack claimed by means of the ShinyHunters extortion gang.
Computerized pentesting proves the trail exists. BAS proves whether or not your controls prevent it. Maximum groups run one with out the opposite.
This whitepaper maps six validation surfaces, presentations the place protection ends, and offers practitioners with 3 diagnostic questions for any software analysis.
