Industry - Data Breach
Executive Summary
Eurail, which sells Interrail rail passes, disclosed that personal data of more than 300,000 European travelers - including passport numbers, names, addresses, and dates of birth - was stolen in a December breach and is now being sold on the dark web. Some affected customers have been advised by passport authorities to cancel their passports and pay for replacements costing up to £200 to prevent fraudulent use. The breach has caused confusion and anger among travelers facing unexpected expens...
What Happened
In December 2025, hackers breached Eurail, the company that sells Interrail train passes for European travel, and stole personal data belonging to more than 300,000 customers. The stolen information included passport numbers, names, phone numbers, email and home addresses, and dates of birth. In April 2026, Eurail disclosed to customers that the stolen data was being offered for sale on the dark web and that a sample dataset had been published on Telegram.
Who Is Affected
More than 300,000 European travelers who purchased Interrail passes are affected, spanning customers across multiple countries including the UK and Denmark. Passport authorities in at least the UK and Denmark have advised some affected individuals to cancel their existing passports and obtain replacements at personal cost - up to £102 in the UK and over £200 in Denmark - to prevent fraudulent use. Affected travelers also face increased risk of identity theft and phishing attacks due to the comprehensive nature of the exposed personal information.
Why It Matters
This breach is significant because it exposes highly sensitive identity documents - passport numbers combined with full biographical data - that can be used for identity fraud, illegal border crossings, or other criminal activities. The incident demonstrates how a single travel service breach can create cascading financial and logistical burdens for victims, who must pay out-of-pocket for replacement documents and may face travel disruptions. The four-month delay between the December breach and the April disclosure that data was actively being sold raises questions about breach notification timing and victim protection.
What You Should Do
If you purchased an Interrail pass and received notification from Eurail, contact your national passport authority immediately to determine whether you should cancel and replace your passport. Monitor your bank accounts, credit reports, and email for suspicious activity, as criminals may use the stolen information for identity theft or targeted phishing attacks. Remain vigilant for unexpected calls, emails, or text messages requesting personal information, and consider placing fraud alerts with credit bureaus. If authorities require you to replace your passport due to this breach, document all expenses and communications with Eurail regarding potential compensation.
Summary generated from verified sources and reviewed before publication. How we summarize.