For generations of backpackers and budget travelers, the Eurail pass has been a symbol of European freedom: a single document, valid on dozens of national railways, that opens the entire continent to anyone willing to carry a bag and board a train. The company that sells those passes, Eurail B.V., is based in the Netherlands and holds the personal data of millions of customers who have purchased passes over the years.
In December 2025, someone accessed that data without authorisation. By the time Eurail confirmed the scope of the breach in late February 2026, the picture was significantly worse than the companyβs initial communications suggested: 308,777 individuals affected, 1.3 terabytes of data exfiltrated, passport and identity document copies, bank account details, health information, source code, and full data backups β all in a criminalβs hands, eventually listed for sale on dark web markets.
As of late April 2026, some affected travelers are being told they should consider replacing their passports.
What Happened and When
The breach occurred in December 2025. Eurail detected the intrusion in January 2026 and began internal investigation. On February 25, 2026, the company confirmed that the personal data of hundreds of thousands of customers had been accessed.
The delay between the December breach and the February disclosure reflects a pattern that is frustratingly common in large data incidents: the initial detection triggers an investigation, legal counsel is engaged, the scope is assessed, and notifications are delayed while the organisation attempts to understand the full picture before communicating it. Under GDPR, covered entities are required to notify supervisory authorities within 72 hours of becoming aware of a breach that poses a risk to individuals β though the trigger is awareness of the breachβs risk profile, not awareness that any data was accessed at all. Eurail filed notifications with the relevant Dutch regulator, the Autoriteit Persoonsgegevens, and completed US regulatory notifications as required.
The attacker reportedly demanded a ransom before making data public. When that ransom was not paid β or the negotiation failed β sample datasets were posted to Telegram as proof of possession. The full 1.3 TB dataset was subsequently listed on dark web markets.
What Was Taken: A Particularly Damaging Data Class
The combination of data types exposed in the Eurail breach is, by the standards of what these incidents typically produce, unusually comprehensive.
Passport and ID copies. Eurail collects identity document copies from some customers as part of the verification process for specific pass types. A scanned passport is not just a record of your name and nationality β it contains the passport number, which is a credential used across border crossings, hotel check-ins, and international travel documentation. A stolen passport number, combined with a facial photograph from the passport copy, can be used to create fraudulent identity documents, support identity fraud in jurisdictions with weaker verification, and complicate border crossing processes for affected individuals.
The guidance that some travelers should consider replacing their passports is not standard post-breach advice β it reflects a judgment that the document itself is sufficiently compromised that the practical risk of continued use outweighs the inconvenience of replacement. Passport replacement requires a consular or government fee, several weeks of processing time, and the surrender of any existing travel stamps. Advising hundreds of thousands of people to undertake that process is a serious recommendation.
IBAN bank account numbers. An IBAN is the international bank account number used for European wire transfers. In isolation, an IBAN does not give an attacker direct access to a bank account β most banking systems require additional authentication for outgoing transfers. But IBAN details in combination with other personal information can be used for direct debit fraud, where an attacker sets up an unauthorised mandate to pull funds from an account. In several European banking systems, the friction for setting up SEPA direct debit mandates with a known IBAN is lower than consumers might assume.
Health data. The presence of health information in a travel pass companyβs database requires explanation. Eurail collects medical information from customers who require accessibility accommodations or who are traveling under a specific medical condition that qualifies them for discounted or modified pass terms. This data is particularly sensitive under GDPR β health information falls into the special category of personal data requiring additional protection and carrying higher regulatory exposure when breached.
Source code and data backups. The exfiltration of source code and full data backups is the technical component that made this breach so large at 1.3 TB. Source code reveals the internal architecture of Eurailβs platform, including potentially authentication logic, API integration details, and database schemas. Full data backups suggest the attacker had access to storage systems, not merely a customer-facing database export.
Three Hundred Thousand Travelers: Who Is Affected
Eurail passes are sold to tourists, students, and travelers from every part of the world visiting or transiting Europe. The affected customer base is internationally distributed, with significant concentrations among North American, Australian, and Asian visitors for whom a Eurail pass represents the standard entry point for European rail travel.
The geographic spread of affected individuals complicates notification and remediation. GDPR applies to Eurailβs operations because the company is Dutch-based, but the affected individuals may be subject to different national privacy laws in their home countries. US regulatory notifications have already been filed, acknowledging the significant volume of American Eurail customers. Other jurisdictions may require separate notifications depending on their national data protection laws.
The nature of the pass product means that many affected individuals purchased their passes years ago, may not remember exactly what data they provided, and may not have current contact details registered with Eurail. Reaching 308,777 internationally distributed customers with a breach notification that requires them to take action β and in some cases, to replace government-issued identity documents β is a significant logistical and communications challenge.
GDPR Exposure and What Eurail Faces
Eurailβs breach carries meaningful GDPR exposure. The special category data elements β health information β activate heightened breach notification requirements and raise the floor for what constitutes adequate security under the regulation. The Dutch supervisory authority, the Autoriteit Persoonsgegevens, has been notified and will likely open a formal investigation.
The relevant question for GDPR enforcement is whether Eurailβs security measures were appropriate given the nature of the data it held. A company that collects passport copies, bank account numbers, and health information should, under GDPRβs data protection by design principles, hold that data under proportionate protection. The theft of 1.3 TB including full data backups suggests either insufficient access controls on backup storage, inadequate monitoring of data exfiltration, or both.
GDPR fines can reach 4% of annual global turnover for the most serious violations. Eurail is a non-profit foundation that manages the pass scheme on behalf of European railway operators β its revenue structure is different from a commercial technology company, and fine calculation will reflect that. But the enforcement attention following a breach of this scale and sensitivity is essentially guaranteed.
What Affected Travelers Should Do
If you have purchased a Eurail pass at any point, check whether you have received a breach notification from Eurail. If you have not and believe you may be affected, contact Eurail directly.
If your passport number was exposed, consider the risk level carefully. Passport replacement is significant but finite. If you regularly travel internationally, particularly to destinations with passport-number-based entry systems, the risk of a compromised passport number may warrant replacement. Your national passport office can advise on the specific risks and process.
If you provided a bank account IBAN, monitor your account for unauthorised direct debit mandates. In most European banking systems you can review and cancel direct debit mandates directly through your online banking portal. If you identify a mandate you did not authorise, contact your bank immediately β SEPA direct debit fraud can be reversed within eight weeks of the charge date under EU banking rules.
If you provided health or medical information, be aware that this data has been exposed and may be used in targeted phishing attempts that reference your health condition to appear credible.
The Dark Web Timeline
The progression from breach to dark web listing follows a pattern documented across dozens of similar incidents. Initial breach in December, ransom demand, internal deliberation and partial disclosure in January and February, ransom negotiation failure, Telegram proof-of-concept posting to establish authenticity and create pressure, full listing on dark web markets once the attacker determines the victim will not pay.
The decision not to pay a ransom is, according to most law enforcement guidance, the correct one β payment does not guarantee data deletion, funds criminal operations, and creates incentives for future attacks. But the consequence of that decision, when the data is as sensitive as Eurailβs, falls on the customers rather than the company. The travelers whose passport copies are now circulating on dark web markets did not choose the companyβs ransom response strategy. They trusted the company with documents that are difficult and costly to replace.
That gap β between who makes the security decision and who bears the consequences of its failure β is one of the structural problems that makes data breach accountability genuinely difficult. Eurail held sensitive data. An attacker stole it. Three hundred thousand people are being told to consider replacing their passports. The company that created the exposure will face a regulatory fine. Whether that fine is proportionate to the harm caused to the individual travelers is a separate question that European data protection enforcement has not yet fully answered.
Eurail B.V. confirmed in February 2026 that a December 2025 breach exposed passport and ID copies, IBAN bank account details, health data, source code, and full data backups belonging to 308,777 travelers. The 1.3 TB dataset was subsequently listed for sale on dark web markets. Some affected travelers are being advised to consider replacing their passports. The Dutch data protection authority has been notified.
