European travel company Eurail has announced a significant data breach that has compromised the personal information of over 300,000 individuals. The breach, which occurred in December 2025, was initially revealed in January this year, raising concerns among customers who had procured a Eurail pass.
Details of the Breach
Hackers infiltrated the network of the Netherlands-based company, extracting files that contained essential identity and contact details of numerous customers. The breach has raised serious questions about data security practices within the company.
Further revelations in February highlighted that a hacker had claimed responsibility for exfiltrating approximately 1.3 terabytes of data from Eurail’s Amazon Web Services (AWS) S3 storage, Zendesk, and GitLab systems. This data included source code, support tickets, and database backups, further aggravating the situation.
Hackers’ Activities and Company’s Response
The hacker, who boasted about the breach on a cybercrime forum, alleged that millions of Eurail/Interrail customers’ personal information was compromised. The hacker’s attempts to negotiate with Eurail reportedly fell through, leading to the data being offered on the dark web.
In March, Eurail confirmed that the stolen data had been made available on the hacker’s Telegram channel. However, the company assured customers that no banking or credit card information, nor visual copies of passports, were stored within their systems.
Notifications and Legal Actions
Eurail has committed to informing those whose data was included in the disclosed samples, provided that contact details are available. The company has filed breach notifications with several US state Attorney General’s Offices, confirming that the attack resulted in the theft of names and passport numbers.
The breach impacts specifically 308,777 individuals, according to the information shared with the Oregon Attorney General’s Office. Affected individuals will receive written notifications to inform them of the breach and any necessary steps they should take.
The incident underscores the growing challenge of protecting personal data in an increasingly digital world. As Eurail works to mitigate the impact of the breach, the case serves as a stark reminder of the importance of robust cybersecurity measures.
