Over 300,000 Europeans' data on sale on dark web after December cyberattack on Eurail: Report
Hundreds of thousands of people across Europe have been affected since a December cyberattack on Eurail exposed sensitive personal data of over 300,000 customers, which has now reportedly been offered for sale on the dark web, with several governments advising them to cancel and replace their passports, The Guardian reported on Wednesday.
The Netherlands-based company, which sells Interrail passes for rail travel across Europe, confirmed that data stolen during the breach—including passport numbers, names, contact information, home addresses, and birth dates—has surfaced online, with a sample dataset also shared on Telegram.
Eurail offers passes valid in 33 countries, stretching from northern Norway to the southern coast of Türkiye, with a seven-day ticket priced at €286 for travelers aged 27 and under, €381 for those between 28 and 59, and €343 for passengers aged 60 and above. Up to two children under 12 can travel free when accompanied by an adult.
Authorities in some countries have already begun issuing precautionary guidance. The UK Passport Office advised at least one affected individual to cancel their passport “to prevent it being used for fraudulent activity,” while also requiring a full replacement fee, according to The Guardian.
Similar measures have been reported in Denmark, where affected travelers may face even higher replacement costs.
The development has triggered frustration and anxiety among customers, many of whom are uncertain about the level of risk. "It's an absolute nightmare,” one affected traveler was quoted by the newspaper as saying, who added that the situation “did freak me out” as summer travel plans approach.
Others questioned whether replacing passports is necessary without clearer official guidance. “I genuinely have no idea how serious this is,” another customer said, calling for compensation if replacement is deemed essential.
Eurail has urged users to take precautionary steps, including monitoring for suspicious communications, updating passwords across platforms, and securing financial accounts, according to the newspaper. “We take the security of your data seriously and regret any concern this incident may cause,” the company said.
However, some customers remain critical of the company’s response. “They didn’t take the security of my data seriously, and what value is the regret?” said one affected traveler, expressing concern over potential identity misuse.
Online forums have also seen calls for collective legal action, with some users referencing compensation rights under the EU’s General Data Protection Regulation (GDPR).
Eurail stated it is continuing to notify affected individuals and emphasized that those whose data appeared in the leaked sample have already been contacted. The company added that mitigating risks for customers remains a priority as the situation develops.
AA
