Some Interrail travellers told to cancel passports as hacked data posted online A data breach affecting customers of Eurail and its sister brand Interrail has prompted warnings for certain travelers to seize immediate action to protect their identities, following confirmation that sensitive personal information—including passport details—was compromised in a cyberattack disclosed in January 2026. The breach, first disclosed by Eurail B.V. On January 10 and followed by customer notifications beginning January 13, involved unauthorized access to customer data stored in the company’s systems. Even as the full number of affected individuals has not been publicly disclosed, the company confirmed that the compromised data includes names, dates of birth, gender, email addresses, home addresses, telephone numbers, passport numbers, passport issuing countries, and passport expiration dates. Critically, the nature of the risk varies depending on how customers obtained their travel passes. For those who purchased Eurail or Interrail passes directly through the company’s official channels, Eurail stated that no visual copies or scans of passports were stored on its systems. However, for participants in the DiscoverEU program—an initiative funded by the European Commission and Erasmus+ that provides free travel passes to young Europeans—the situation is different. These travelers may have had photocopies of their identification documents, along with bank account reference numbers and health-related data, exposed in the breach, according to a separate notice issued by the European Commission. In response, Eurail advised all affected customers to change passwords not only for their Eurail accounts but also for any other online services where the same credentials might be used. The company emphasized that it is working with external cybersecurity specialists and legal advisors to investigate the incident and monitor for any signs of misuse of the stolen data. As of its latest statement, Eurail said there is currently no evidence that the compromised information has been misused or publicly disclosed. Despite this assurance, the exposure of passport numbers and other identifying information raises significant concerns about potential identity theft. Security experts note that while a passport number alone cannot be used to travel, it can be combined with other personal details to facilitate fraudulent applications for documents, open bank accounts, or impersonate individuals in financial or legal contexts. For individuals whose actual passport scans or photocopies were accessed—particularly DiscoverEU participants—the risk is heightened, prompting recommendations in some cases to consider canceling and replacing affected passports as a precautionary measure. The incident underscores the growing vulnerability of travel and transportation providers to cyberattacks, particularly those handling large volumes of sensitive personal data. It also highlights the importance of data minimization practices, such as avoiding the storage of unnecessary document copies, which can reduce the impact of a breach. Eurail has not disclosed the technical cause of the breach or whether any specific vulnerability or attack vector—such as phishing, malware, or a third-party compromise—was responsible. The company said its investigation remains ongoing, with updates to be provided as more information becomes available. Customers who believe they may be affected are encouraged to monitor their accounts for unusual activity, enable multi-factor authentication where possible, and remain vigilant against phishing attempts that may exploit the breach. Official guidance and updates are being posted on Eurail’s website and communicated directly to impacted users via email.
9