What began as a January disclosure about unauthorized database access has grown into a full-scale identity theft crisis after attackers listed millions of European rail travelers’ sensitive records on criminal marketplaces.

Eurail B.V. confirmed on February 13, that customer data compromised in an earlier security breach is now being offered for sale on the dark web, with a sample dataset also published on Telegram. The escalation transforms a data breach disclosure into an active identity theft emergency for potentially millions of European travelers.

Who Were Impacted in Eurail Breach

The incident impacted all customers issued a Eurail pass, as well as those who made seat reservations with the company, including customers who purchased Eurail or Interrail passes through partner channels or distributors. The company has not disclosed the total number of affected individuals, but Eurail operates passes across 250,000 kilometers of European railways, serving millions of travelers annually.

The compromised data includes full names, passport details, ID numbers, bank account IBANs, health information, and contact details such as email addresses and phone numbers. The combination of passport numbers, IBAN bank references and health data creates conditions for sophisticated identity fraud that can persist for years after initial exposure.

Customers who purchased travel passes directly from Eurail or Interrail did not have visual copies of their passports stored on company systems. However, the same is not true for those who received passes through the DiscoverEU program—an Erasmus-funded initiative inviting travelers to explore the EU by rail.

Also read: Massive Cyberattack Hits Ukraine Railways, Disrupting Online Ticket Sales

The European Commission confirmed that DiscoverEU travelers participating under the Erasmus+ program may also have had photocopies of their IDs, bank account reference numbers and health data compromised. The Commission notified the European Data Protection Supervisor about the breach in accordance with its obligations under applicable data protection legislation.

Initial Analysis Overturned

Eurail initially disclosed the breach publicly on January 10. The company acknowledged attackers gained unauthorized access to its customer database and stated it had no evidence customer data had been misused or publicly disclosed at the time of initial notification. That position changed dramatically with the February 13 update confirming dark web sales activity.

External cybersecurity specialists engaged by Eurail are monitoring dark web forums to track the distribution and potential sale of the data. The company has not disclosed whether it received any ransom demands or extortion attempts related to the breach.

“Can’t Treat Notification as a Compliance Exercise”

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, warned that once personal data is exposed, the risk shifts from an IT incident to sustained fraud and impersonation. “Organisations can’t treat notification as a compliance exercise—they need to be clear, specific and timely so people can take meaningful protective steps,” Malik said.

Eurail reported the incident to the data protection authority in accordance with EU GDPR requirements and is also notifying other data protection authorities outside the EU where required. The company faces potential regulatory scrutiny over how long it held sensitive documents including passport copies and health data.

Eurail advises customers to update their Rail Planner app account passwords and reset them on any other platform where they use the same credentials. Customers should monitor bank account activity closely and report any suspicious transactions to their bank immediately.

Criminals may attempt to misuse stolen data through unexpected or suspicious phone calls, emails or text messages asking for personal information. Eurail warns customers never to share information with someone who contacts them unsolicited or claims to work for Eurail.

Given the sensitivity of exposed passport numbers, IBAN details and health records, affected travelers face risks beyond typical phishing attempts. Passport data enables identity document fraud, while IBAN numbers facilitate direct financial targeting. Customers who participated in DiscoverEU programs face the highest exposure given the breadth of data categories potentially compromised.

Affected customers can contact Eurail’s privacy team directly at [email protected] for further guidance on the breach’s impact on their specific accounts.