Eurail passengers taken for a ride as data breach spills passports, bank details
- Reference: 1768394595
- News link: https://www.theregister.co.uk/2026/01/14/eurail_breach/
- Source link:
The European travel company, also known as Interrail to EU residents, initially [1]posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13.
While the company's investigation is ongoing, it revealed the data potentially affected includes:
First and last names
Dates of birth
Genders
Email addresses
Home addresses
Telephone numbers
Passport numbers
Passport issuing country
Passport expiration date
Customers who purchased a travel pass directly from Eurail/Interrail did not have a visual copy of their passports stored on company systems.
However, the same is not true for those who received a pass through the DiscoverEU program, an Erasmus-funded initiative that invites travelers to explore the EU by rail.
[2]
The European Commission published a separate [3]notice about the Eurail breach, saying that in addition to the data specified in the company's email, DiscoverEU travelers may also have photocopies of their IDs, bank account reference numbers, and health data compromised.
[4]
[5]
"To our knowledge, there is currently no evidence that the data has been misused or publicly disclosed," it stated. "Eurail reassured the Commission that this is consistently being monitored by external cybersecurity specialists.
[6]Spanish power giant sparks breach probe amid claims of massive data grab
[7]Infamous BreachForums forum breached, spilling data on 325K users
[8]ESA calls cops as crims lift off 500 GB of files, say security black hole still open
[9]Brightspeed investigates breach as crims post stolen data for sale
"However, as a result of this incident, possible consequences for you may include: [10]phishing and spoofing attempts, unauthorized access, and identity theft."
Eurail promised the Commission it has secured the affected systems and "closed the vulnerability," as well as reset credentials and enhanced its security controls following the breach.
Additionally, the Utrecht-headquartered company confirmed the breach was reported to the Dutch data protection authority, as required by [11]GDPR .
[12]
Eurail said: "Customers whose data may have been accessed will be informed directly. We take the security of our customers' information seriously and regret any concern this incident may cause."
The emails sent to affected customers, seen by The Register , include details about how to spot potential scams that use data stolen during the attack, and advise users to change their passwords for all accounts, not just the one used for the Rail Planner app. ®
Get our [13]Tech Resources
[1] https://www.interrail.eu/en/ni/data-security-incident
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWlxnnTX7jwD_MtPnvauvAAAAI0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://youth.europa.eu/news/updated-data-security-incident-affecting-discovereu-travellers_en
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWlxnnTX7jwD_MtPnvauvAAAAI0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWlxnnTX7jwD_MtPnvauvAAAAI0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/14/endesa_breach/
[7] https://www.theregister.com/2026/01/12/breachforums_breach/
[8] https://www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/
[9] https://www.theregister.com/2026/01/06/brightspeed_investigates_breach/
[10] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[11] https://www.theregister.com/2025/11/11/eu_leaked_gdpr_ai_reforms/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWlxnnTX7jwD_MtPnvauvAAAAI0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: Here's an idea
Another few hundred incidents like this and people might start wising up. Then again, maybe not.
Re: Here's an idea
Until there's the threat of jail time (and I would call this criminally negligent behavior), nothing will change.
Re: Here's an idea
Unless you can prove that the person responsible both knew of the vulnerability exploited in their systems beforehand and did nothing about it, then they are by definition not guilty of anything.
You cannot hold someone accountable for the illegal actions of a third party.
Now. If you'd suggested that western intelligence agencies should be given a free hand in tracking down those responsible and ensuring that they never trouble anyone, anywhere ever again, I'd be right with you.
Re: Here's an idea
One would hope there were audits and penalties if a business doesn't comply with the Network and Information Systems Regulations 2018 in the UK. This legislation originated in the EU so the EU version should cover Eurail as well.
Re: Here's an idea
Unless you can prove that the person responsible both knew of the vulnerability exploited in their systems beforehand and did nothing about it, then they are by definition not guilty of anything.
We need a somewhat different set of conditions to define guilt/innocence in this situation, because your conditions will excuse both intentional (head-in-the-sand) and due-to-incompetence types of ignorance of their systems' vulnerabilities.
Re: Here's an idea
It would be included in "Due Diligence" type legislation. Have you assessed all the risks?
You don't have to do it yourself, but you need to ensure that (a) someone is doing the checks and (b) check and act on the results.
Here is a reminder: Personal private information is a property of the person concerned. If you release it, even through accident or omission, you've taken something from them. You've taken the integrity of the information and my right to disclose it or not. Its the same as if you had lets someone charge their credit card without permission. It is theft.
One cannot run a business without financial due diligence. Not just about making a profit - one can run at a loss. What you can't do is run a business knowing that the bills can't be paid. There is a word for that, Fraud. So, neither can you run a business knowing that there are significant risks to customer's personal data. I think we need a new word - PI3 (Personal Information Integrity Idiot). Suggestions welcome.
Re: Here's an idea
Neglegens privatum
Re: Here's an idea
CEOs neck on a wooden block, huge man with black hood and apron carrying dull axe... they might take it seriously.
Re: Here's an idea
That might not work as you assume.
But what about fines? Something like 25-75% of yearly income? And after first time something happens it is extended to whole top level company board.
Life is worthless for some but the moment they realise they might lose money....
Re: Here's an idea
and you would trust a government to look after the data? Just thinking out loud.
"Customers whose data may have been accessed will be informed directly. We take the security of our customers' information seriously and regret any concern this incident may cause."
Statements like this should receive a double penalty and be liable for exemplary damages to those affected.
Media should onlyo publish them as part of an interview where they are questioned about the statement.
Naturally enough the notification email went into the my spam box, and I'd probably never have seen it if it wasn't for this article.
Did they use Ruby on Rails?
I don't see how the particular framework used would have anything to do with it; you might as well have asked "did they use PHP". But for what it's worth CVEdetails lists no vulnerabilities in Ruby on Rails for 2025, three for ASP.NET ( [1]one with severity 9.9 ), six for Node.js and eleven for PHP (one critical):
[2]https://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
[3]https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-42998/Microsoft-Asp.net-Core.html
[4]https://www.cvedetails.com/vulnerability-list/vendor_id-12113/product_id-30764/Nodejs-Node.js.html
[5]https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html
Having some limited experience of all four platforms I find Ruby on Rails to be leaner, and more transparent to the developer, than any of the others, which definitely helps when it comes to surveying the attack surface, especially for a small team. If you're curious about how any part of the framework operates you can just open the relevant file(s) and you'll find consistently readable and well documented code. ASP.NET is an obscure behemoth by comparison, and PHP is just an absolute mess . Then again, maybe it's just me.
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315
[2] https://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
[3] https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-42998/Microsoft-Asp.net-Core.html
[4] https://www.cvedetails.com/vulnerability-list/vendor_id-12113/product_id-30764/Nodejs-Node.js.html
[5] https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html
Why Did Eurail Even *Have* Peoples' Health Data?!
See title.
Re: Why Did Eurail Even *Have* Peoples' Health Data?!
Almost certainly this is reasonable needs: wheel-chair or other mobility accomodation, possibly dietary needs for booked meals (e.g. gluten intolerance). Possibly vaccination status, if this is needed for travel anywhere inside the EU (the old Covid vaccination certificates?).
But I can be wrong.
Here's an idea
It's mandated by government for hotels, travel agencies etc to take and record all of these bits of information.
Why don't the government provide a facility in which to keep them in? Let the Government, who want the data, be tasked with the responsibility of holding that data.
I mean I know why. But we should also start asking these bastards the question. And keep asking them regardless of the answer.