Eurail Passport Data Leak 2026:
What You Need to Know
Eurail confirmed in April 2026 that a 26 December 2025 breach exposed passport numbers, names, dates of birth, phone numbers, email and home addresses for 308,777 travellers. A subset of DiscoverEU participants also lost passport scans, bank account numbers and some health data, and a sample of the dataset has already been published on Telegram.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the Eurail Breach Unfolded
26 December 2025
Attackers gained access to a Eurail customer-data store that held passport details captured during the rail-pass identity-verification flow, copying files for both Eurail and DiscoverEU travellers.
27 March 2026
Three months after the intrusion, Eurail began notifying affected individuals. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) was notified under GDPR breach-notification rules.
April 2026
Public reporting confirmed that 308,777 travellers were impacted, with passport numbers, names, dates of birth, phone numbers, email and home addresses accessed. A subset of DiscoverEU participants additionally lost passport photocopies, bank account numbers and some health data. A sample dataset was published on Telegram and the full dataset offered for sale on the dark web.
Affected travellers received an email referencing "Important information about your Eurail Pass account".
What Was Exposed
Personal Data Leaked in the Breach
Because Eurail requires identity verification at pass purchase, the affected dataset is unusually rich. Passport numbers paired with full name and date of birth substantially increase identity-fraud risk compared to most consumer breaches.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | All 308,777 affected travellers |
| Email address | High | All 308,777 affected travellers |
| Phone number | High | All 308,777 affected travellers |
| Home address | High | All 308,777 affected travellers |
| Date of birth | High | All 308,777 affected travellers |
| Passport number | High | All 308,777 affected travellers |
| Passport photocopy / scan | High | DiscoverEU participants only (subset) |
| Bank account number | High | DiscoverEU participants only (subset) |
| Health data | High | DiscoverEU participants only (subset) |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Passport data is treated as a high-risk identity document under most national privacy frameworks.
✅ Confirmed NOT Exposed
Eurail has stated that full credit-card numbers (PANs), CVV values, and account passwords were not stored in the affected system. Passport scans / images were not part of the dataset for the general Eurail population; only the passport numbers and metadata. (DiscoverEU participants are a separate, more sensitive subset; see the exposed-data table above.)
Company Response
What Eurail Did
“We deeply regret that this happened to our customers. We have notified the Dutch Data Protection Authority and are working with cybersecurity experts to support affected travellers.”
Actions Taken by Eurail
- Isolated the affected data store and audited access controls
- Notified the Dutch Data Protection Authority (lead GDPR supervisor)
- Notified data-protection authorities in other affected EU member states
- Began emailing affected customers with details of the specific fields exposed
- Engaged external cyber forensics specialists to confirm scope
- Published guidance on responding to passport-themed identity fraud
What Now?
Steps You Can Take After the Eurail Breach
Passport data is one of the most sensitive identity documents you can have leaked. The combination of passport number name date of birth email is enough to defeat most online identity-verification questions. Here are general best-practice steps.
Travel and Identity Documents
Your passport number was exposed. Treat it as a sensitive identifier going forward.
Decide whether to replace your passport
~20 minReport a misuse of your passport number
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minUnderstand your full account exposure
Identity Protection
Passport + name + date of birth defeats most knowledge-based verification.
Consider a credit ban
~20 minAdd fraud alerts where credit bans are not available
Monitoring and Reporting
Resources for breach response in Australia and the EU.
Contact IDCare or report to Scamwatch (AU)
EU residents: contact your national DPA
Not sure how this combines with other breaches?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
Compound Risk: Eurail Plus Other Travel Breaches
Travellers are increasingly being targeted because their data is spread across many companies (airlines, hotel groups, rail operators, booking sites), and any single breach can be combined with others to defeat identity checks.
Why this matters
Eurail leaked passport numbers. Optus (2022) leaked passport numbers plus drivers' licences. Booking.com (2026) leaked names + reservation context. Combine these and an attacker has a near-complete travel-identity dossier, enough to defeat most airline rebooking verification, bank phone challenges, and e-visa applications.
- Optus (2022)9.8M records - passport, licence, Medicare numbers
- Booking.com (2026)Names, emails, reservations - travel context for phishing
- Marriott / Starwood (2018)500M records - passport numbers, hotel-stay history
- Qantas (2025)5.7M records - frequent flyer, name, DOB
In The Event Of can overlay your breach data and help you prioritise the highest-impact actions.
Frequently Asked Questions
Eurail Breach FAQ
Sources
- BleepingComputer: "Eurail says December data breach impacts 300,000 individuals"
- The Record (Recorded Future News): Passport numbers for more than 300,000 leaked during December Eurail data breach
- SecurityWeek: 300,000 People Impacted by Eurail Data Breach
- Biometric Update: Eurail breach exposes passport data, fuels dark web identity trade
- Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
- European Data Protection Board: GDPR breach notification guidelines
- Australian Passport Office: Lost or stolen passports
- OAIC: Australian Privacy Principles
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Eurail B.V. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.