Interrail passengers across Europe have been warned that data accessed during a security breach has been leaked on the dark web. Passport and identification card numbers, contact details, bank account references, and health data were compromised during a breach of Eurail BV’s systems, the company that sells Interrail passes for train travel across Europe.
Details of the Breach
The company has concluded its investigation and is now informing affected customers. Eurail first announced the breach, affecting over 300,000 travelers, in December. It has now been revealed that the stolen data has been offered for sale on the dark web, with a sample dataset published on Telegram. Eurail emphasizes that it does not store bank or credit card information nor keeps visual copies of passports.
Impact on Passport Holders
Replacing a passport in the UK costs £102. The Home Office stated: “Where a passport holder has been informed of a data breach involving their passport details, it remains for them to determine whether they wish to replace that passport. British passports incorporate modern security technologies to help keep ahead of any criminals who may attempt to forge or fake them.”
DiscoverEU Programme Affected
The breach also affects 18-year-olds who received a pass through the EU’s DiscoverEU programme, which gives away 40,000 Interrail passes this year. DiscoverEU stated that identification information, including photocopies, could have been breached, but the extent is unknown. There is currently no evidence of misuse, and external cybersecurity specialists are monitoring the situation. DiscoverEU is not available to British citizens but will be available through Erasmus+ in 2027.
Customer Guidance
Eurail and DiscoverEU said: “Preventing and mitigating any potential negative consequences for our customers is our highest priority. We encourage customers to remain vigilant for any suspicious communications. Eurail will never request sensitive information through unsolicited contact. Customers should update their Rail Planner app password, consider changing passwords for email, social media, and banking accounts, and monitor bank accounts for unusual transactions.”
Some customers are seeking compensation for passport replacement. One Reddit user wrote: “I’ve emailed them again asking they’d reimbursed the costs for a new passport because their leak is the first time ever my passport number has been leaked.” Another expressed confusion: “Am I meant to apply for another passport now? I got an email today saying all my data has been put up for sale on the dark web, but I don’t have a clue what I’m meant to do.” The Independent has contacted Eurail for comment.
