Eurail Data Breach Exposes Customer and DiscoverEU Traveler Information
Eurail B.V., the operator of the Interrail pass enabling pan-European train travel, disclosed a data security incident on January 10 after detecting unauthorized access to its systems. The breach potentially exposed customer order and reservation details, including personal and passport information. Based in Utrecht, the company is investigating the incident with support from cybersecurity experts and legal advisors, though it has not yet confirmed whether data was exfiltrated or misused.
The breach also impacts participants in the DiscoverEU program, funded under the EU’s Erasmus+ initiative. According to the European Commission, compromised data may include names, passport details, IBAN numbers, and health information for affected travelers. While no misuse has been detected, the Commission warned of risks such as phishing and identity theft. The European Data Protection Supervisor has been notified, and updates will follow as the investigation continues.
Eurail has taken steps to secure its systems, including resetting access credentials and enhancing monitoring, and has reported the incident to the Dutch data protection authority in compliance with GDPR. Affected customers will be contacted directly as more details emerge. The company acknowledged the breach’s potential impact and reaffirmed its commitment to data security.
The incident underscores the persistent vulnerabilities in digital infrastructure, even for well-established travel services. Authorities and Eurail continue to assess the scope and implications of the breach.
Eurail B.V TPRM report: https://www.rankiteo.com/company/eurail
European Commission TPRM report: https://www.rankiteo.com/company/unife-the-european-rail-industry
"id": "euruni1768321876",
"linkid": "eurail, unife-the-european-rail-industry",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Interrail pass customers and '
'DiscoverEU program participants',
'industry': 'Travel/Tourism',
'location': 'Utrecht, Netherlands',
'name': 'Eurail B.V',
'type': 'Company'}],
'customer_advisories': 'Affected customers will be contacted directly; '
'advised to change passwords, monitor bank '
'transactions, and report suspicious activity',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Customer order information',
'Reservation details',
'Passport information',
'Names',
'Bank account references (IBAN)',
'Health information']},
'date_publicly_disclosed': '2024-01-10',
'description': 'Eurail B.V, the company behind the Interrail pass, announced '
'a data security incident after unauthorized access was '
'detected in its systems, potentially exposing customer order, '
'reservation, and passport information. The breach also '
'affects participants in the DiscoverEU program, with '
'compromised data possibly including names, passport details, '
'bank account references (IBAN), and health information.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': 'Customer order and reservation information, '
'basic identity and contact details, passport '
'information, names, passport details, bank '
'account references (IBAN), health information',
'identity_theft_risk': 'High',
'payment_information_risk': 'High (IBAN exposure)'},
'investigation_status': 'Ongoing',
'recommendations': 'Affected customers advised to change passwords, monitor '
'bank transactions, and report suspicious activity',
'references': [{'source': 'Eurail B.V Statement'},
{'source': 'European Commission Statement'}],
'regulatory_compliance': {'regulations_violated': ['GDPR'],
'regulatory_notifications': ['Dutch data protection '
'authority',
'European Data '
'Protection '
'Supervisor']},
'response': {'communication_strategy': 'Direct notifications to affected '
'customers, public statements',
'containment_measures': 'Secured affected systems, reset access '
'credentials',
'enhanced_monitoring': 'Yes',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Enhanced monitoring',
'third_party_assistance': 'Cybersecurity specialists and legal '
'advisors'},
'stakeholder_advisories': 'European Commission advised DiscoverEU travellers '
'to monitor communications and remain vigilant for '
'phishing attempts and identity theft',
'title': 'Eurail B.V Data Security Incident',
'type': 'Data Breach'}