Passport numbers for more than 300,000 leaked during December Eurail data breach

European train travel company Eurail B.V. notified U.S. regulators this week about a data breach impacting 308,777 people. 

The company filed breach notices in several states warning about an incident that occurred in December. 

Eurail B.V. is based in the Netherlands and is owned by over 35 European railway and ferry companies, offering travelers specific passes that can be used to traverse Europe’s rail system. 

In a statement to Recorded Future News, the company declined to share details related to the incident but said data was copied after hackers breached Eurail systems on December 26. 

“We can confirm that data copied during the security incident has been offered for sale on the dark web and a sample dataset has been published on Telegram,” a spokesperson said. “Customers whose personal data was included in the sample dataset are being informed directly where contact details are available to us.”

The company did not respond to questions about whether the stolen data was offered for a ransom.

The letters, sent to victims in Oregon, Texas, California and other states, say names and passport numbers were stolen during the attack. 

In February, a hacker claimed the attack and said they stole 1.3 TB of data that included source code, database backups and Zendesk support tickets. The hacker claimed Eurail declined to negotiate with them, prompting them to go public with the theft. 

Eurail has existed since 1959, helping millions travel across Europe. In a public statement last month, Eurail said the incident was reported to European Union data protection authorities as well as other agencies outside the EU. 

The company urged customers to be wary of contact asking for personal information and said people should change the passwords associated with their Rail Planner app. 

The attack had significant downstream effects, impacting a separate traveling program called DiscoverEU. The program released its own statement warning participants that their names, ages, passport information, photocopies of their passports, address, bank account number and some health data was likely included in the breach.