Euroail safety breach exposes personal data from more than 300,000 passengers and increases the risk of fraud

A serious interruption in the safety of a company that connects passengers to European rail networks has revealed very sensitive information for hundreds of thousands of people. The Dutch operator who markets the Interrail and Eurail passes confirmed that, following an intrusion detected in December 2025, the attackers managed to extract personal data from a significant part of their client base.

According to the notification subsequently sent to the persons concerned, the intruders managed to transfer files from the company's network at the end of December and, after reviewing those files at the end of February 2026, the company identified that they contained personal data. A communication to clients and authorities specified that the number of people affected is more than 300,000; in a submission to the United States authorities the figure indicated was 308,777 potentially compromised records. You can consult that notification posted on the California Attorney General's Office's site here: Euroail - notification to affected (PDF).

The types of data involved make the gap particularly worrying. In addition to names and contact details, the revised files contain identity documents and passports, bank IBANS and, in some cases, medical information. The European Commission itself, which further monitored the impact of young people who received passes through the DiscoverEU programme, warned that for those who entered through the exhibition it could include health data and other sensitive elements; the official alert is available on the DiscoverEU portal: Commission information on the incident and its impact on DiscoverEU.

Public disclosure of the incident has also been followed by the emergence of a sample of data in messaging channels and by attempts to market in clandestine forums. Euroail informed its customers that the malicious actors shared examples of the stolen material in Telegram and that they were trying to sell data sets in the so-called "dark web."

Although the company stated that certain elements, such as passport copies or full financial information, were not stored in the compromised systems, the nature and variety of the fields exposed involve real risks of fraud and supplanting. With document numbers, full names and contacts in the hands of third parties, the danger of highly targeted phishing campaigns and attempts at bank fraud increases considerably..

What can affected people do? The company recommended immediate measures such as reviewing bank transactions and alerting the bank to any suspicious movement, changing the Rail Planner application password and not reusing that password in other services. It is also prudent to add caution to unsolicited emails, calls or messages asking for additional information or links to "verify" data. For those who want to expand and contrast information about similar incidents or check whether your mail appears in public leaks, public services such as Have I Been Pwned are useful, and the European Union Agency for Cybersecurity (ENISA) publishes practical guidelines on how to respond to data gaps: ENISA - resources and recommendations.

At the regulatory level, such incidents require companies to inform the competent authorities and those concerned and to review their internal controls. European data protection legislation (and its practical application under the General Data Protection Regulation) imposes reporting and remedy obligations which must be met with due diligence; for those who want to consult the legal framework and its rights, the European Commission provides basic information on data protection: EU data protection framework.

This incident does not occur in the vacuum: other high-profile attacks on European agencies and platforms have been seen in recent weeks, placing information security at the heart of the public debate. Although each gap has its own particularities, the trend of actors who exfilter large volumes of data and then disseminate or sell them underlines the need for more robust controls, early detection and coordinated responses between companies and authorities.

For travelers who depend on digital passes and platforms, the lesson goes beyond changing passwords: it is essential to demand transparency from suppliers, to demand explanations of what happened and what corrective measures have been implemented, and to be attentive to possible consequences in the medium term, such as attempts at identity fraud or financial theft. The consumer and data protection authorities are also channels for reporting and receiving guidance; in the United States, for example, the State Attorney General's offices issue instructions for reporting gaps and resources for the affected, and in the EU the national data protection agencies perform equivalent functions.

If you were a Euroail user or received a pass through DisCoverEU and suspected that your information might be affected, check the official communication of the company and the documentation of the above-mentioned authorities, and consider additional measures such as activating notifications in your bank accounts, assessing the creation of fraud alerts and, in extreme cases, talking to your financial institution about temporary blockages or enhanced supervision. Keeping calm and acting with caution is still the best defense for such incidents.

For official information and up-to-date messages from the operator itself and from European bodies, review the Euroail site and the Commission and cyber-security agency communiqués referred to in this article. The investigation of the incident and mitigation measures will continue to be deployed in the coming months, and it is appropriate to be kept informed through reliable sources.