Eurail passengers taken for a ride as data breach spills passports, bank details

Steven

Eurail passengers taken for a ride as data breach spills passports, bank details

Summary

Eurail (Interrail for EU residents) has confirmed a data breach affecting customer records. The company posted an initial notice on 10 January and began emailing potentially affected customers from 13 January. The exact number of people impacted was not disclosed.

Key Points

  • Personal data potentially exposed includes names, dates of birth, genders, email addresses, home addresses, telephone numbers and passport details (number, issuing country, expiry date).
  • DiscoverEU passengers (the Erasmus-funded scheme) may have had additional items compromised, including photocopies of IDs, bank account reference numbers and health data.
  • Eurail says no visual passport copies were stored for customers who bought passes directly from the company, but DiscoverEU records differ.
  • The company has closed the vulnerability, reset credentials, improved security controls and reported the incident to the Dutch data protection authority under GDPR.
  • There is currently no evidence the stolen data has been publicly disclosed or misused, but customers are at risk of phishing, spoofing, unauthorised access and identity theft.
  • Customers were advised to change passwords across all accounts (not just the Rail Planner app) and to watch for scam attempts.

Content summary

The Register reports Eurail has acknowledged unauthorised access to customer information and is working with external cybersecurity specialists to investigate. The European Commission separately warned DiscoverEU participants that their records may include copies of identification documents, bank references and health information. Eurail has notified affected customers directly and said it has taken steps to secure systems and remediate the issue.

Context and relevance

This breach sits in a run of high-profile European data incidents and highlights persistent risks for travel‑industry databases that store sensitive identity and payment information. Under GDPR, notification to data protection authorities is mandatory; Eurail has complied with that requirement. The incident is particularly sensitive for young travellers on DiscoverEU, who may not expect ID photocopies and health details to be retained.

Why should I read this

If you’ve ever used Eurail/Interrail or taken part in DiscoverEU, this affects you — so open your inbox. The breach exposes passport and bank details, which are prime material for phishing or identity theft. We’ve picked out the bits that matter: what was taken, who is more at risk, and what you should do right now (change passwords, monitor accounts, be extra cautious with emails).

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/14/eurail_breach/