Overview
- Eurail says stolen customer records from an earlier incident are being marketed on the dark web, with a sample posted on Telegram.
- The company is conducting a forensic review to determine which records were exposed and will notify impacted individuals directly.
- Early findings point to possible exposure of identity and contact details, order and reservation data, travel companion information, and in some cases passport numbers with expiry dates, IBANs, and health data.
- Eurail reports that it does not store payment card details or passport copies and has notified EU regulators under GDPR, with notifications to other authorities to follow.
- SecurityWeek observed a public listing where hackers claim to be selling 1.3 TB of data and threaten wider release; these claims have not been verified by Eurail.