Eurail B.V. confirms data breach data is being sold on dark web, with samples published on Telegram, affecting customer passport details, bank information, and health records.
Eurail B.V., the operator that provides access to 250,000 kilometers of European railways, confirmed that data stolen in a breach earlier this year is being offered for sale on the dark web. The company said that a threat actor also published a sample of the data on the Telegram messaging platform but it is still trying to determine the type of records and number of customers affected.
Eurail B.V. is a Netherlands-based firm that manages and sells passes (Eurail and Interrail) for train travel across Europe, offering flexibility for multi-country trips. Its passes are also very popular among young European travelers participating in the EU's DiscoverEU program.
Last month, the company disclosed that it suffered a data breach when threat actors gained unauthorized access to its customer database, compromising sensitive information, including full names, passport details, ID numbers, bank account IBANs, health information, and contact details (email addresses, phone numbers).
"We have become aware that the data has been offered for sale on the dark web and a sample data set has been published on Telegram. We are currently investigating which specific data records or how many of the affected customers this concerns," reads Eurail's update.
Eurail states that it continues the investigation to determine exactly what data was compromised for each affected customer, and will send individual notifications for those impacted. Meanwhile, concerned data protection authorities have been notified in accordance with the GDPR requirements, and authorities outside the EU will be alerted soon.
Customers who may have had their information exposed in this incident should be vigilant to potential phishing and scam attempts. Eurail suggests that customers update their Rail Planner app account passwords and reset them on any other platform where they use the same credentials. Also, customers should monitor their bank account activity closely and report any suspicious transactions to their bank immediately.
A FAQ page has been published to support customers, and any concerns may also be addressed directly via email to [email protected].
This breach highlights the growing threat to travel and transportation companies, which hold extensive personal data on millions of customers. The exposure of passport details, health information, and banking data creates significant risks for identity theft and financial fraud.
For affected travelers, experts recommend several immediate steps:
- Change passwords on all accounts, especially if using the same credentials elsewhere
- Enable two-factor authentication where available
- Monitor financial statements and credit reports for suspicious activity
- Be wary of unsolicited communications claiming to be from Eurail or related services
- Consider placing fraud alerts on credit files with major credit bureaus
The sale of stolen data on dark web marketplaces has become increasingly common, with threat actors often attempting to maximize profits by selling in bulk to other cybercriminals who may use the information for various fraudulent activities.
Related Articles:
- Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match
- Spanish energy giant Endesa discloses data breach affecting customers
- Louis Vuitton, Dior, and Tiffany fined $25 million over data breaches
- Odido data breach exposes personal info of 6.2 million customers
- Volvo Group North America customer data exposed in Conduent hack
Comments
Please log in or register to join the discussion