Eurail
Analysis of the Eurail breach with passport and customer data allegedly offered for sale on the dark web.
Published by the Scrutex.ai Research Team | January 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Eurail
European rail pass provider enabling train travel across 33 European countries, also administering the EU's DiscoverEU programme for young travellers.
Sector
Travel / Transportation
Region
Europe
Date of Incident
Prior to January 2026 (exact date unknown)
Date Disclosed
January 10, 2026 (public notice); January 13, 2026 (customer notifications)
Estimated Impact
Unknown (1.3TB claimed for sale)
Data Types Exposed
Full names, passport details, ID numbers, bank account IBANs, health information, contact details
Attack Type
Data Breach
Attack Vector
Unauthorised access to customer database (root cause not confirmed)
Threat Actor
Not publicly attributed
Current Status
Allegedly stolen data offered for sale on dark web. Negotiations with attackers reportedly failed. Data protection authorities notified under GDPR.
Severity Assessment
Critical. Passport data, IBANs, and health information exposed. DiscoverEU participants (young travellers) particularly affected with photocopied IDs compromised.
What Happened
In January 2026, Eurail confirmed a breach in which customer data including passport information was reportedly put up for sale on the dark web. The threat actor claimed to have 1.3TB of data.
The compromised data includes names, contacts, and passport information. Passport data is among the most sensitive identity information and reveals travel patterns.
Timeline
Prior to January 2026
Unauthorised access to Eurail customer database
January 10, 2026
Eurail publishes public notice about the breach
January 13, 2026
Customer notification emails sent
January 2026
Negotiations with attackers reportedly fail; allegedly stolen data offered for sale on dark web
January 2026
Data protection authorities notified under GDPR
Impact and Risk Assessment
For Affected Individuals
Passport details and ID numbers are permanent identity documents that cannot be easily changed, creating long-term identity fraud risk across international borders.
Bank account IBANs enable direct debit fraud in European payment systems.
Health information was also exposed, adding a sensitive data category to the breach.
DiscoverEU participants, who are young travellers aged 18, are particularly affected as their photocopied IDs were compromised early in their adult lives.
For Organisations
Eurail faces GDPR enforcement action across multiple European jurisdictions given the breadth of the data and the number of affected countries.
European rail operators and tourism organisations may face increased scrutiny of their data handling practices.
Regulatory Context
GDPR applies across all 33 European countries where Eurail operates. Multiple national data protection authorities may claim jurisdiction.
The exposure of passport data and health information triggers the highest tier of GDPR obligations for sensitive personal data.
What Should You Do?
If You Are a Potentially Affected Individual
If you have purchased a Eurail pass, monitor your bank accounts for unauthorised direct debit transactions given the IBAN exposure.
Consider contacting your passport-issuing authority about the exposure, particularly if you are concerned about identity fraud.
DiscoverEU participants should be especially vigilant and monitor their credit and identity for misuse.
If You Are a Security or Risk Professional
Travel organisations handling passport data should treat it with the same security rigour as financial data, including encryption at rest, strict access controls, and data minimisation.
Consider whether it is necessary to retain passport photocopies after the initial verification purpose has been served.
Learnings and Recommendations
Travel providers hold passport data that cannot be easily changed, creating long-term identity fraud risk. Organisations handling passport data should treat it with the same security rigour as financial data.
The dark web marketplace for travel and identity data remains active. Confirmed breaches with passport data command premium prices.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.