Eurail, the organization behind the iconic European rail pass used by millions of international travelers, has disclosed a significant data breach that occurred in December 2025. The incident resulted in the theft of passport numbers for more than 300,000 individuals, along with a substantial trove of internal company data totaling approximately 1.3 terabytes.
What Was Stolen
The scope of the breach is broad. According to Eurail's disclosure and details shared by the threat actor who claimed responsibility in February 2026, the stolen data includes:
| Data Category | Details |
|---|---|
| Passport numbers | 300,000+ customers affected |
| Personal data | Customer identifying information |
| Source code | Internal Eurail codebase |
| Database backups | Full database snapshots |
| Zendesk support tickets | Customer service communication records |
| Total volume | ~1.3 TB claimed by attacker |
The inclusion of passport numbers is particularly significant. Unlike email addresses or passwords, passport numbers cannot be easily changed and are used as primary identity verification across border crossings, financial services, and travel bookings worldwide. Exposure of this data creates lasting identity fraud risk for affected individuals.
Timeline
The breach followed a pattern common to many disclosure incidents: a considerable gap between the intrusion, the attacker's public claim, and the organization's formal notification.
December 2025 — Breach occurs at Eurail
February 2026 — Hacker publicly claims the attack, says 1.3 TB stolen
April 8, 2026 — Eurail formally discloses the breach
This four-month gap between the incident and public disclosure will likely draw scrutiny from European data protection authorities. Under the EU General Data Protection Regulation (GDPR), organizations are required to notify supervisory authorities within 72 hours of becoming aware of a personal data breach that poses a risk to individuals.
Support Ticket Exposure
The inclusion of Zendesk support ticket data deserves particular attention. Support ticket records often contain:
- Detailed correspondence about account issues, including identity verification exchanges
- Copies of identity documents submitted for dispute resolution
- Payment and booking information
- Travel itineraries and personal contact details
When support ticket data is combined with passport numbers and personal information, it creates a rich profile that can be exploited in targeted phishing, account takeover, and identity fraud schemes.
Risk to Affected Individuals
Eurail customers affected by this breach face elevated risk in several areas:
Identity fraud: Passport numbers combined with personal data enable fraudsters to open financial accounts, apply for loans, or create synthetic identities. Victims should monitor credit reports and consider placing a fraud alert.
Travel document abuse: While passports themselves were not physically stolen, the numbers can be used in document fraud schemes or to create convincing phishing lures impersonating border agencies or travel services.
Targeted phishing: With support ticket data in hand, attackers can craft highly convincing emails that reference specific past interactions — a technique known as context-aware phishing that is significantly more effective than generic lures.
What Eurail Customers Should Do
- Monitor for phishing — Be suspicious of any email referencing your Eurail account or travel history, especially if it requests identity verification or payment
- Check credit reports — Review for any unfamiliar accounts or inquiries
- Do not respond to unsolicited contact — Go directly to official Eurail channels if you receive suspicious communications
- Consider a fraud alert — Contact your country's credit bureaus if you are concerned about identity fraud risk
- Watch for passport misuse — If you notice unusual activity when crossing borders or applying for services that use passport verification, report it to relevant authorities
Regulatory Implications
Eurail operates under EU jurisdiction, making this breach subject to GDPR enforcement. Data protection authorities in EU member states may investigate whether Eurail:
- Met the 72-hour breach notification requirement
- Had adequate technical and organizational security measures in place
- Properly handled the large volume of sensitive travel document data
Similar breaches at travel and booking platforms have attracted significant GDPR fines in recent years. The GDPR allows for penalties of up to 4% of global annual turnover for serious violations.
Source: The Record — Eurail reports data breach impacting over 300,000