Eurail Data Breach Exposes Personal Information of Over 300,000 U.S. Travelers

Severity: High (Score: 71.0)

Sources: Technadu, Bleepingcomputer, Thecyberexpress, Securityaffairs.Co, Scworld

Summary

Eurail B.V. confirmed a data breach that exposed personal information of approximately 308,777 individuals in the U.S., including names and passport numbers. The breach occurred on December 26, 2025, when unauthorized actors accessed Eurail's network and transferred sensitive files. The company detected unusual activity and initiated an investigation, which concluded on February 25, 2026, confirming the exposure of personal data. Notifications to affected individuals began on March 27, 2026. The breach also potentially compromised financial and health-related information, with samples of the stolen data appearing on the dark web. Eurail has advised affected individuals to monitor their accounts and update passwords. The breach has raised significant concerns about identity theft and the security of customer data in global transit systems. Key Points: • Eurail's data breach affected 308,777 individuals, primarily in the U.S. • Sensitive information, including passport numbers and health data, was compromised. • Eurail has issued warnings about potential phishing attacks targeting affected individuals.

Key Entities

• ShinyHunters (apt_group)
• Data Breach (attack_type)
• Phishing (attack_type)
• Eurail (company)
• Hims & Hers (company)
• Netherlands (country)
• United States (country)
• europa.eu (domain)
• Transportation (industry)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1566 - Phishing (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Telegram (platform)