Eurail breach hits 300k
Eurail disclosed a December data breach affecting roughly 300,000 individuals that included names and passport numbers, the company says. (PRSOL: ). Security Boulevard places that incident alongside other travel-industry breaches that exposed passport numbers, addresses, and in some cases ID photocopies and health data. (Security Boulevard: ).
Eurail said attackers stole personal data from 308,777 travelers after breaking into part of its network in late December 2025. (bleepingcomputer.com) A breach notice filed with the California attorney general says the incident ran from December 24, 2025, to January 8, 2026. Eurail’s notice to New Hampshire says it identified unusual activity on December 26 and later confirmed names and passport numbers were in the affected files on February 25, 2026. (oag.ca.gov) (mm.nh.gov) Eurail began mailing notices on March 27, 2026, and told customers it had hired outside cybersecurity professionals, notified law enforcement, and set up a call center at 1-833-319-9486. (mm.nh.gov) Eurail sells Eurail and Interrail passes for train travel across 33 national railways, so the stolen records tie identity documents to international travel bookings. Security researchers said some of the data was offered for sale online, with a sample posted publicly. (bleepingcomputer.com) (securityboulevard.com) Passport numbers matter because they are durable identifiers: travelers cannot change them as easily as a password or payment card. Eurail’s notices also warn customers to watch for unsolicited calls, emails, or letters from people claiming to work for the company. (mm.nh.gov) The exposed data appears to vary by customer. Malwarebytes reported that some Eurail records included addresses and, for some travelers, photocopies of identity documents and health data alongside passport numbers. (malwarebytes.com) The travel sector has been dealing with the same problem in April 2026: Booking.com told customers on April 13 that unauthorized parties accessed reservation data including names, email addresses, phone numbers, and booking details. TechCrunch reported affected users then described phishing messages that referenced their real trips. (techcrunch.com) Malwarebytes said criminals can use stolen reservation and identity data to impersonate hotels or travel companies and ask for extra payments or “verification” details. The United Kingdom’s Action Fraud logged 532 Booking.com scam reports between June 2023 and September 2024, with losses of £370,000. (malwarebytes.com) Eurail told customers it has enhanced existing security measures, but the immediate burden now sits with travelers whose passport details were taken months before the company finished tracing what was in the files. (mm.nh.gov)
