Cyber Incident Victim: Eurail BV
Date:
Jan 2026
Location:
Netherlands
Summary
Eurail disclosed a breach where hackers accessed its network and stole personal information including names, passport numbers, contact details, source code, support tickets, and database backups amounting to roughly 1.3 terabytes. The stolen data was offered for sale on the dark web with samples shared on a Telegram channel, and the company confirmed it does not store bank or credit card information, though certain pass types may have exposed passport copies, health data, and bank account numbers. Notifications were sent to over 300,000 affected individuals after filings with U.S. state authorities indicated the scope of the compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2025, hackers breached the network of Eurail BV, a Netherlands‑based travel company, and exfiltrated files containing basic identity and contact information. The company first disclosed the incident in mid‑January 2026, stating that personal, order, and travel reservation data of customers who had been issued a Eurail pass might have been compromised. In February 2026, a hacker claimed on a surface‑web cybercrime site to have stolen roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances, including source code, support tickets, and database backups. The hacker asserted that the stolen data held the personal information of millions of Eurail/Interrail customers and that negotiations with Eurail had failed.
Eurail confirmed in early March 2026 that the stolen data was being offered for sale on the dark web and that a sample dataset had been posted on a Telegram channel. The company stated that it does not store bank or credit card information and, except for DiscoverEU pass holders, does not retain visual copies of passports. According to the hackers’ claims and Eurail’s own disclosures, the compromised data includes names, dates of birth, phone numbers, email addresses, postal addresses, and passport information, with passport numbers and names specifically noted in filings with U.S. state attorneys general. For individuals who received a DiscoverEU pass, the exposed information may also encompass passport copies, health data, and bank account numbers. The breach notifications filed with several U.S. state Attorney General’s Offices in April 2026 indicated that the incident affected 308,777 people.
Eurail said it is investigating which specific data records or how many of the affected customers are involved in the offered data set. The company is sending written notifications to the potentially impacted individuals where contact details are available. Eurail also filed breach notifications with the Attorney General’s Offices in several U.S. states to comply with disclosure requirements. The company reiterated that it does not store bank or credit card information and that it does not retain visual copies of passports except for those issued under the DiscoverEU program.