Interrail customer data offered for sale on dark web in major security breach

Hundreds of thousands of people across Europe have been warned that a cyberattack on Eurail in December has exposed sensitive personal data, which is now reportedly being offered for sale on the dark web.

Passport and identification card numbers, contact details, bank account references, and health data were accessed during a breach of Eurail BV’s systems, the company that sells Interrail passes across Europe.

Eurail has confirmed it concluded its investigation and is now in the process of informing customers whose personal data was accessed.

Meanwhile, several governments are now advising their citizens to cancel and replace their passports.

Read more: Plans for UK-Germany rail link move step closer

The UK Passport Office has instructed at least one person that they must "cancel their passport to prevent it being used for fraudulent activity".

They also added that the individual would have to pay the full £102 fee for a replacement.

"I genuinely have no idea how serious this is," one affected customer told the Guardian.

"Do I really need to spend my money doing all this?" they added. "No one wants to spend £100 when they don't have to. If the official advice is to get a new passport, there does need to be some sort of compensation," they added.

Another affected passenger in Denmark said they had been instructed to cancel their passport, with a replacement likely to cost more than £200.

The UK Home Office said the cost of replacing a passport would be a matter for the applicant and the third-party responsible for the security breach.

A spokesperson said: “Where a passport holder has been informed of a data breach involving their passport details, it remains for them to determine whether they wish to replace that passport.

“British passports incorporate modern security technologies to help keep ahead of any criminals who may attempt to forge or fake them.”

The breach also affected 18-year-olds who received a pass through the European Union’s DiscoverEU programme, which is giving away 40,000 Interrail passes this year to residents of EU member states or countries associated with Erasmus+.

DiscoverEU is not available to British citizens, but it will be available through the Erasmus+ scheme in 2027.

In a statement, Eurail and DiscoverEU said: “Preventing and mitigating any potential negative consequences for our customers is our highest priority. We encourage customers to remain vigilant for any suspicious or unexpected communications requesting personal information, including phone calls, emails or text messages.

“Eurail will never request sensitive information through unsolicited contact. As a precautionary measure, customers are advised to update their Rail Planner app password and consider changing passwords linked to their email, social media and banking accounts.

“Customers should also monitor their bank accounts for unusual transactions and report any concerns to their bank immediately.”

Some customers have already reached out to Eurail to request compensation in order to change their passports.

One person wrote on Reddit: “I’ve emailed them again asking they’d reimbursed the costs for a new passport because their leak is the first time ever my passport number has been leaked."

Another asked: "Am I meant to apply for another passport now? I got an email today saying all my data has been put up for sale on the dark web, but I don’t have a clue what I’m meant to do.”

Although Eurail said it was still in the process of notifying affected customers, it noted that all of those whose details appeared in the sample dataset published on Telegram had been informed.