300,000 People Impacted by Eurail Data Breach

Summary

European travel company Eurail suffered a December 2025 data breach affecting over 308,000 customers, with hackers stealing names, passport numbers, and other personal information from the company's AWS S3, Zendesk, and GitLab instances. The attacker claimed to have stolen 1.3 terabytes of data including source code, support tickets, and database backups, initially offering it on the dark web before publishing a sample on Telegram. Eurail confirmed in March that negotiations with the hacker failed and has since notified affected individuals via written letters.

Full text

European travel company Eurail is notifying over 300,000 people that their personal information was stolen in a December 2025 data breach. The incident was initially disclosed in January, when the company warned that customers who were issued a Eurail pass might have been affected. The data was stolen after hackers breached the Netherlands-based company’s network and stole files containing basic identity and contact information. In February, a hacker boasted on a surface web cybercrime site about stealing roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances, including source code, support tickets, and database backups. The hacker claimed they stole the personal information of millions of Eurail/Interrail customers and that negotiations with the travel company had failed. In early March, Eurail confirmed that the hacker had been offering the stolen data on the dark web and that they published a sample dataset on their Telegram channel. It also said it does not store bank or credit card information, nor visual copies of passports.Advertisement. Scroll to continue reading. “Customers whose personal data was included in the sample dataset will be informed directly where contact details are available to us,” the company said. Last week, Eurail filed breach notifications with the Attorney General’s Offices in several US states, revealing that names and passport numbers were stolen in the attack. The company told the Oregon Attorney General’s Office that the data breach impacts only 308,777 people. Eurail is sending written notifications to the potentially impacted individuals. Related: FBI: Cybercrime Losses Neared $21 Billion in 2025 Related: Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Related: European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Related: T-Mobile Sets the Record Straight on Latest Data Breach Filing Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataMedusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderGoogle DeepMind Researchers Map Web Attacks Against AI Agents Latest News Google Warns of New Campaign Targeting BPOs to Steal Corporate DataAdobe Reader Zero-Day Exploited for Months: Researcher$3.6 Million Stolen in Bitcoin Depot HackShaky Ceasefire Unlikely to Stop Cyberattacks From Iran-Linked Hackers for LongData Leakage Vulnerability Patched in OpenSSLRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Unknown threat actor

Entities