Eurail Confirms Stolen Customer Data is Now being Sold on Dark Web

A few weeks after confirming a January security breach that affected customer data, Eurail B.V. has again notified its customers that the stolen data is now actively for sale on the dark web, with a sample dataset already published on Telegram.

The Netherlands-based company manages passes covering over 250,000 kilometers of European tracks across more than 30 countries. It serves millions of travelers annually, including lots of young participants in the European Commission’s DiscoverEU program. The breach has turned into a full-blown identity theft crisis that puts thousands of travelers at risk.

What Actually Got Stolen

Passport data and financial info of Eurail customers are the big prizes here, and they’re now in criminals’ hands. The hackers made off with full names, birth dates, email addresses, phone numbers, and home addresses from the customer database.

But it gets much worse. For many customers, especially DiscoverEU participants, the breach exposed passport numbers, ID photocopies, IBAN bank references, and even health-related data.

Eurail says they don’t store payment card details or passport images for regular customers who purchase passes directly from them. But DiscoverEU (a program that offers free travel passes to 18-year-olds across Europe) travelers aren’t so lucky.

The European Commission confirmed its files included ID photocopies and bank account information that participants provided for reimbursements and special assistance during their trips.

The company first disclosed the breach on January 13 and said they secured its systems and was investigating the incident. Back then, they said their findings showed no evidence that the attackers had publicly disclosed or misused the data.

However, fast forward to February 13, and a threat actor posted samples on Telegram. They even listed the full dataset for sale on dark web marketplaces. The external cybersecurity specialists Eurail hired are now monitoring dark web forums to track the distribution. But once your data has ended up there, you can’t exactly ask for it back.

What This Means for Affected Travelers

Eurail said they are still investigating to know the exact category of personal data that the attackers published. But your data ending up on the dark web or anywhere else isn’t even half the story. The scary part is that it’s basically for sale, and criminals are trading it as a commodity.

Once information hits the dark web, it becomes a product that bad actors can buy and sell for profit. Buyers purchase these records to commit fraud, and they don’t waste time doing it while the data is still fresh and usable.

The scale of this underground economy is staggering, just recently the personal data of 240 million Pakistanis was listed for sale on the dark web, demonstrating that no country or population is too large to be targeted and commodified.

Passport numbers are absolute gold for identity thieves. With your full name, birth date, and passport details, someone can open bank accounts, apply for loans, or create fake IDs in your name.

The IBAN numbers give them direct financial targeting capabilities, essentially handing over the keys to your bank account. And health data? It’s useful for medical insurance fraud and sophisticated social engineering attacks.

The timing makes this extra stressful. These travelers were probably planning European adventures or had already booked their rail passes for summer trips. Now they have to deal with potential identity theft instead of packing their bags.

DiscoverEU participants face the highest risk here, and they’re often 18-year-olds traveling for the first time. Their files have ID photocopies and bank details, which is very sensitive information that scammers can use for fraud.

Most young people don’t often take credit and account monitoring seriously as they should, giving criminals a wider window to operate without anyone noticing.

KnowBe4’s Lead Security Awareness Advocate, Javvad Malik, warned that once personal data leaks, the risk escalates from just an IT incident to fraud and impersonation. He told organizations to stop thinking of notifications as just another box to tick for compliance. Make it clear, specific, and timely so people know what’s up and take action to keep safe.

What You Need to Do Now

Eurail’s still investigating, but whatever the outcome, you can’t delete data from the dark web. Once it’s out there circulating on criminal forums and Telegram channels, it’s out there forever.

The company is notifying affected customers directly when they have contact information available. They’ve also reported the incident to data protection authorities under GDPR rules and are notifying authorities outside the EU where required. Regulatory fines might follow, but that doesn’t help you right now if your identity gets stolen.

Here’s what you need to do if you’re an Eurail customer. Change your Rail Planner app password immediately. Don’t reuse that password anywhere else. Update passwords for your email, social media, and banking accounts too, especially if you tend to recycle the same credentials across multiple sites.

Watch your bank accounts like a hawk right now. Be on guard, and if you notice any suspicious activity on your account, report it ASAP to your bank. Watch out for unexpected calls, emails, or texts asking for your info. Eurail made it clear—they’ll never reach out for your private details out of nowhere. So, if someone does, odds are it’s a scam.

Phishing scams will probably get worse now that the info is out there. When scammers get your name and email, they can whip up messages that look convincing. Don’t click on links in random emails, and don’t hand over your info just because someone seems legit at first glance. Stay sharp.

And while you’re watching for phishing, don’t forget to monitor your loyalty accounts too. Millions of travelers are at risk as these accounts are sold for pennies on the dark web, often drained long before the victim notices.

For participants of DiscoverEU? Email them directly at [email protected] if you have questions or to find out what data was leaked.

Eurail’s privacy team is also available at [email protected] for customer questions. They’ve posted FAQs on their support center website with additional guidance on protective steps you can take.

This situation absolutely sucks, no two ways about it. Your best move is staying alert and locking down your accounts now before criminals try to use what they bought.

The investigation is ongoing, and more affected customers will likely receive notifications in the coming weeks as Eurail works through identifying exactly whose data ended up in that leaked sample.