European travel company Eurail is notifying over 300,000 people that their personal information was stolen in a December 2025 data breach.
The incident was initially disclosed in January, when the company warned that customers who were issued a Eurail pass might have been affected.
The data was stolen after hackers breached the Netherlands-based company’s network and stole files containing basic identity and contact information.
In February, a hacker boasted on a surface web cybercrime site about stealing roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances, including source code, support tickets, and database backups.
The hacker claimed they stole the personal information of millions of Eurail/Interrail customers and that negotiations with the travel company had failed.
In early March, Eurail confirmed that the hacker had been offering the stolen data on the dark web and that they published a sample dataset on their Telegram channel. It also said it does not store bank or credit card information, nor visual copies of passports.
“Customers whose personal data was included in the sample dataset will be informed directly where contact details are available to us,” the company said.
Last week, Eurail filed breach notifications with the Attorney General’s Offices in several US states, revealing that names and passport numbers were stolen in the attack.
The company told the Oregon Attorney General’s Office that the data breach impacts only 308,777 people. Eurail is sending written notifications to the potentially impacted individuals.
Related: FBI: Cybercrime Losses Neared $21 Billion in 2025
Related: Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption
Related: European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack
Related: T-Mobile Sets the Record Straight on Latest Data Breach Filing
