Eurail Lost 300,000 Travelers' Passport Numbers—It Took Three Months to Tell Them

Three Months of Silence

The breach happened on December 26. Eurail discovered it sometime in February 2026. Notification letters did not go out until March 27, 2026. The public disclosure came on April 9, more than three months after the attack.

During that gap, threat actors published sample data on Telegram and attempted to sell the full dataset on dark web marketplaces. That means attackers had months to exploit the stolen information while the people whose passports and bank details were exposed had no idea they needed to take protective action.

Under the EU's General Data Protection Regulation, organizations are required to notify affected individuals "without undue delay" when a breach poses a high risk to their rights and freedoms. Passport numbers and bank account IBANs clearly meet that threshold. Whether a three month delay qualifies as undue will likely be a question for the Dutch Data Protection Authority.

Who Was Affected

The 308,777 affected individuals include Eurail pass customers and young travelers who received free passes through the EU's DiscoverEU program, which gives 18 year olds rail passes to explore Europe. That means the breach disproportionately affects a younger demographic, many of whom may be less experienced in monitoring for identity fraud.

The geographic scope is broad. Eurail serves travelers from across Europe and beyond, and the stolen passport numbers span multiple nationalities. Each affected country has its own procedures for reporting compromised identity documents, making the remediation burden particularly complex for victims.

Why Passport Numbers Are Dangerous

Unlike a password, you cannot change your passport number without applying for a new document. A stolen passport number combined with a name and date of birth can be used to:

• Open fraudulent bank accounts or credit lines in countries with less rigorous identity verification
• File fraudulent tax returns or government benefit claims
• Create convincing identity documents for social engineering attacks
• Craft highly targeted phishing emails that reference real travel history

The addition of bank IBANs and health information makes this dataset particularly valuable for criminals. It provides multiple vectors for fraud, from direct financial theft to insurance scams. And the problem is accelerating: France's passport agency was breached just days later, exposing up to 19 million citizens' identity records.

What You Should Do

If you have ever purchased a Eurail pass or received one through DiscoverEU:

• Change your Rail Planner app password and any other accounts where you used the same credentials.
• Monitor your bank accounts for unauthorized transactions, especially accounts linked to the IBAN you provided to Eurail.
• Watch for targeted phishing. Attackers now know your name, email, and that you are a Eurail customer. Expect convincing emails referencing train travel, refunds, or account updates.
• Consider contacting your passport authority. Some countries allow you to flag a compromised passport number, which can trigger additional verification for new applications made in your name.
• Place a fraud alert with your national credit reporting agency if your IBAN was exposed.

Breaches like this are also a reminder to limit the personal data you share with travel services. Many companies request passport details for verification but do not need to store them indefinitely. The pattern of delayed breach notifications is becoming disturbingly common, leaving victims exposed for months before they can act.