Eurail B.V., the company that operates the Eurail Pass and Interrail Pass, has confirmed that it recently suffered a cybersecurity breach. According to the company, unauthorized individuals were able to access parts of its internal systems, including a customer database containing personal information.

The incident was made public on January 10, 2026, after Eurail completed an initial assessment of the breach. The company has since reported the matter to European data protection authorities, as required under the General Data Protection Regulation (GDPR), and says it is continuing to investigate exactly how the intrusion occurred and what data was accessed.

What information may have been exposed

Eurail has stated that the attackers may have accessed a range of customer data. This includes basic personal details such as names, dates of birth, and gender, as well as contact information like email addresses, home addresses, and phone numbers. Travel-related data was also potentially exposed, including reservation details and order information linked to Eurail and Interrail passes.

More sensitive data may have been affected in some cases. Eurail confirmed that passport or national ID numbers, along with the issuing country and expiration dates, were stored in the impacted systems and could have been accessed during the breach.

The situation is particularly serious for travelers who participated in the DiscoverEU initiative, which is run by the European Commission. For these users, Eurail acknowledged that additional documents used for eligibility and administration may have been exposed. This can include copies of passports or ID cards, bank account reference numbers such as IBANs, and in limited cases, health-related information submitted as part of the program process.

How Eurail is responding

Eurail says it took immediate action once the breach was detected. The company reports that it secured the affected systems, closed the vulnerability that allowed the intrusion, and reset access credentials. External cybersecurity specialists have also been brought in to help investigate the incident and strengthen defenses.

At this point, Eurail says there is no evidence that the exposed data has been misused or published online. However, the company has emphasized that monitoring is ongoing and that affected customers are being informed about the situation.

What this means for customers

Even when stolen data does not appear to be used right away, it can still pose long-term risks. Personal information obtained in breaches like this is often used for phishing emails, fake customer support calls, or identity theft attempts. Because attackers may already know details about a person’s travel history or identity documents, scams can appear more convincing.

What affected users should do

Customers who have used Eurail, Interrail, or DiscoverEU services are advised to stay alert. Monitoring email inboxes and financial accounts for unusual activity is important. Travelers should be cautious with unexpected messages or calls asking for personal information, even if they appear to come from trusted organizations.

Changing passwords on travel-related accounts and enabling multi-factor authentication where available can help reduce risk. Any suspected fraud should be reported promptly to banks, service providers, or local authorities.

While Eurail has apologized for the incident and says it is strengthening its security, the breach serves as another reminder that travelers should remain vigilant whenever personal data is involved.