-
Hackers stole the personal data of 300,000 travelers from Eurail’s systems last December.
-
Now, criminals have published it for sale on the dark web, some of it already floating around Telegram.
-
Victims face losing money on urgent passport cancellations and replacements.
After the Eurail data breach that affected over 300,000 people last December, criminals are now offering the data for sale on the dark web.
The compromised data reportedly includes very sensitive personal info, including passport numbers, home addresses, email, phone numbers, etc. Now travelers have been advised to cancel their passports due to the leak.
How the Eurail Data Breach Disrupted Travel Itineraries
The Eurail data breach fiasco just got much worse. The company recently revealed that criminals are now offering the stolen information for sale. Someone already posted a sample of the data on Telegram.
That discovery has triggered a wave of stress, confusion, and unexpected costs across Europe. The UK Passport Office directly told one traveler from the UK to cancel their passport immediately. The agency warned them to do this to prevent fraud, but the customer still had to pay the full £102 fee for a replacement.
It is even worse for others. A victim in Denmark had to cancel their passport, and it’ll cost them more than £200 to get a new one. One woman whose data was also affected called the situation “an absolute nightmare.”
She traveled with her friends from Penzance for their summer break last year to Naples. She is afraid that getting a new passport for their next trip might take time. Also she wondered if she’ll need to pay for the replacement, adding that compensation seems fair.
A Complete Identity Package for Criminals
What exactly did the hackers steal? The list includes full names, email and home addresses, phone numbers, dates of birth, and passport numbers.
Security researchers call this a “complete identity package.” Aras Nazarovas, a senior researcher at Cybernews, explained that criminals can use this data to bypass security checks. They could access your bank accounts, open crypto exchange accounts, or even take out loans in your name.
One victim, 64-year-old Gerard Tubb from Yorkshire, summed up the fear perfectly. “The concern is what can people do with that amount of information,” he said. “It seems an awful lot – everything to persuade someone they are me.”
Victims Demand Action and Compensation
Eurail’s response has done little to calm the anger. The company is advising customers to “remain extra vigilant” for suspicious calls or emails. They also suggest updating passwords for their Rail Planner app, email, social media, and banking.
A spokesperson of the company said they take “preventing and mitigating any potential impact on customers” seriously, adding that they regret any inconvenience the incident may cause.
But victims feel abandoned. “They didn’t take the security of my data seriously,” Tubb, one of the victims, fired back. “What is the value of regret?” On Reddit, one scared exchange student wrote that they cannot even get a new passport because they live in a different country.
Another frustrated traveler asked if there’s a way to come together and demand compensation, noting they’ll appreciate any amount enough to aid in getting a new passport. At least one person has written to Eurail’s CEO demanding compensation under European data protection law (GDPR).
As of now, thousands of travelers are facing canceled passports and stolen identities. With their data already up for sale on the dark web, it’s only a matter of time before criminals start putting it to use.
The Shocking Price of Your Personal Info
Here is where it gets really scary. According to reports, hackers stole 1.3 terabytes of information from Eurail’s Amazon storage, Zendesk system, and GitLab repository. Evaluation of the stolen data samples suggests it’s a complete identity package, which is hot cake for criminals on the dark web.
Marijus Briedis, the chief technology officer at NordVPN, explained how this market works. Digital copies of British passports typically sell for about £26 each. Physical passports from countries like the US or Italy can go for over £1,100.
“Dark web criminals are no longer fishing through your bins,” Briedis said. Digital copies of passports are readily available on the dark web, at very surprisingly cheap rates and easy to trade, too.
The scale of passport data leaks is alarming, a fake government portal recently leaked passports and personal documents of 1,100 Bangladeshis to the dark web, demonstrating that travelers aren’t the only ones at risk; citizens worldwide are having their identity documents exposed through fraudulent websites impersonating official government services.
So what can criminals actually do with your passport? A lot. They can bypass identity checks, break into your bank accounts, open crypto exchange accounts in your name, or take out loans. They might even use your identity for money laundering.
The steps to take? Be mindful of emails, texts, or calls pretending to be Eurail support or transaction alerts you didn’t authorize. Freeze your credit so criminals won’t be able to open new loans or credit cards in your name.
Then as some of the victims have been advised, cancel your passport and get a new one. Sure, it’ll cost you extra money, but it prevents the long term risk of identity fraud. Consider activating 2FA, so scammers would find it difficult to use the stolen info to log into your bank or email.
