The Eurail data breach has exposed personal information of approximately 308,777 individuals in the United States, according to a disclosure by Eurail B.V., the Netherlands-based company that manages the official online sales platform for Eurail and Interrail rail passes. Among those affected are 242 residents of New Hampshire.

The Eurail data breach occurred between late December 2025 and early January 2026, when an unauthorized actor gained access to Eurail’s network and transferred files. The company identified the issue after detecting unusual activity within its systems and later confirmed the exposure of personal data.

Eurail Data Breach Timeline and Response

Following the detection of suspicious activity, Eurail activated its incident response procedures and initiated an investigation with third-party cybersecurity experts. Law enforcement was also notified and is continuing to investigate the incident.

According to the company, the unauthorized access took place on December 26, 2025, when files were transferred from its network. The investigation concluded that these files contained personal information, with the final determination made on February 25, 2026.

Eurail began notifying affected individuals and state authorities on March 27, 2026, reporting the breach to attorneys general in California, New Hampshire, Oregon, and Vermont. A public notice was also issued on the European Youth Portal.

Information Compromised in the Eurail Data Breach

The company confirmed that the Eurail data breach involved sensitive personal information, including:

• Names
• Passport numbers

While this represents the confirmed data for U.S. individuals, earlier findings suggest that the broader impact may be more extensive. Previous disclosures linked to the incident indicated that additional data types were compromised, including financial and health-related information.

Broader Exposure Linked to Eurail Data Breach

Earlier this year, Eurail confirmed that data from a prior breach was being offered for sale on the dark web, with samples appearing on Telegram. This development suggested that the incident extended beyond initial containment and had evolved into a wider data exposure situation.

The earlier dataset reportedly included passport details, bank account IBANs, email addresses, phone numbers, and health information, in addition to names. The combination of such data increases the risk of identity theft, financial fraud, and long-term misuse.

The breach is also believed to have affected customers who purchased Eurail or Interrail passes through partner channels, as well as participants in the DiscoverEU program, which issued its own warning that sensitive personal details, including passport copies and financial information, may have been exposed.

Company Measures and Security Actions

In response to the Eurail data breach, the company has taken several steps, including terminating unauthorized access, strengthening internal security measures, and continuing its cooperation with law enforcement and cybersecurity experts.

Eurail stated that it takes the protection of customer information seriously and is working to prevent similar incidents in the future. The investigation into the full scope of the breach is ongoing.

What Affected Individuals Should Do

Eurail has advised customers to stay alert to suspicious communications, especially any requests for personal information. Individuals are encouraged not to share sensitive data with unknown or unsolicited contacts claiming to represent the company.

The company also recommends that users monitor their financial accounts and review credit reports regularly for any unauthorized activity. In the United States, consumers can obtain a free annual credit report from each of the three major credit bureaus.

Those who suspect misuse of their information are advised to contact the Federal Trade Commission, reach out to their state’s attorney general office, and report the matter to local law enforcement.

A Growing Risk Around Travel Data

The Eurail data breach highlights the risks associated with large-scale travel platforms that handle sensitive identity and financial information. With passport numbers and other personal identifiers involved, the exposure can lead to long-term consequences for affected individuals.

As investigations continue, the incident reinforces the need for stronger data protection measures and constant monitoring across systems that manage sensitive traveler information.