**Eurail B.V.**, a European travel operator providing digital passes covering 33 national railways, reports that attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. **Eurail**, based in the Netherlands, sells Interrail and Eurail passes for multi-country train travel across Europe. These passes are also available to young Europeans through the EU's DiscoverEU program. ## Breach Details In February, the company disclosed that attackers accessed travelers' sensitive information, including full names, passport details, ID numbers, bank account IBANs, health information, and contact details (email addresses, phone numbers), after breaching its customer database. Eurail warned that the threat actors had published a sample of the stolen data on **Telegram** and were attempting to sell it on the dark web. "The evidence showed that an unauthorized actor transferred files from our network on December 26, 2025," the company stated in breach notification letters sent to affected individuals on March 27. "We reviewed the files involved and, on February 25, 2026, determined that they contained some of your information. The information included your name and passport number." The same day, Eurail revealed in a filing with the Office of Oregon's Attorney General that the resulting data breach impacted 308,777 individuals.  *Eurail data breach filing with Oregon's OAG (BleepingComputer)* ## Exposed Data and Recommendations While Eurail stated that it didn't store financial information or passport photocopies on the compromised systems, the European Commission warned that this type of data, as well as health information, may have been exposed for young travelers who received a Pass through the DiscoverEU program. Eurail advises customers whose information was exposed to remain vigilant against potential phishing attacks and scams. They recommend updating Rail Planner app account passwords and resetting them on any other platform where they are also used. Customers should also monitor their bank account activity and report any suspicious transactions to their bank immediately. ## Recent European Commission Breach Last month, the European Commission also confirmed a data breach after the Europa.eu web platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang.