Data Breach Travel / Transportation · Europe · January 2026

Eurail

Analysis of the Eurail breach with passport and customer data allegedly offered for sale on the dark web.

Records Affected

Unknown (1.3TB claimed for sale)

Attack Type

Data Breach

Location

Europe

Data types exposed

Full names passport details ID numbers bank account IBANs health information contact details

What Happened

In January 2026, Eurail confirmed a breach in which customer data including passport information was reportedly put up for sale on the dark web. The threat actor claimed to have 1.3TB of data.
The compromised data includes names, contacts, and passport information. Passport data is among the most sensitive identity information and reveals travel patterns.

Timeline

  • Prior to January 2026 — Unauthorised access to Eurail customer database
  • January 10, 2026 — Eurail publishes public notice about the breach
  • January 13, 2026 — Customer notification emails sent
  • January 2026 — Negotiations with attackers reportedly fail; allegedly stolen data offered for sale on dark web
  • January 2026 — Data protection authorities notified under GDPR

Impact and Risk Assessment

For Individuals

Passport details and ID numbers are permanent identity documents that cannot be easily changed, creating long-term identity fraud risk across international borders.
Bank account IBANs enable direct debit fraud in European payment systems.
Health information was also exposed, adding a sensitive data category to the breach.
DiscoverEU participants, who are young travellers aged 18, are particularly affected as their photocopied IDs were compromised early in their adult lives.

For Organisations

Eurail faces GDPR enforcement action across multiple European jurisdictions given the breadth of the data and the number of affected countries.
European rail operators and tourism organisations may face increased scrutiny of their data handling practices.

Regulatory Context

GDPR applies across all 33 European countries where Eurail operates. Multiple national data protection authorities may claim jurisdiction.
The exposure of passport data and health information triggers the highest tier of GDPR obligations for sensitive personal data.

What Should You Do?

For Individuals

  • If you have purchased a Eurail pass, monitor your bank accounts for unauthorised direct debit transactions given the IBAN exposure.
  • Consider contacting your passport-issuing authority about the exposure, particularly if you are concerned about identity fraud.
  • DiscoverEU participants should be especially vigilant and monitor their credit and identity for misuse.

For Security Professionals

  • Travel organisations handling passport data should treat it with the same security rigour as financial data, including encryption at rest, strict access controls, and data minimisation.
  • Consider whether it is necessary to retain passport photocopies after the initial verification purpose has been served.

Learnings and Recommendations

Travel providers hold passport data that cannot be easily changed, creating long-term identity fraud risk. Organisations handling passport data should treat it with the same security rigour as financial data.
The dark web marketplace for travel and identity data remains active. Confirmed breaches with passport data command premium prices.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories