Eurail Data Breach: 1.3TB Dump for Sale Now

A threat actor is claiming to sell a 1.3TB Eurail dataset while Eurail has publicly confirmed that some customer data from its January 2026 security incident is being offered for sale and that a sample has appeared on Telegram.

What Happened in the Breach

Eurail B.V. said a security breach led to unauthorized access to customer data, and its February 13, 2026 update said some customer data affected by the incident had been offered for sale on the dark web with a sample dataset published on Telegram.

Eurail said the incident is under investigation with external cybersecurity specialists and legal advisors, and it said it is still working to determine scope, impact, and which specific records are involved.

Timeline: From First Access To Latest Update

1. January 10, 2026: Eurail publicly posted a breach notice on its Interrail site, according to reporting that said the initial notice appeared on this date
   
2. January 13, 2026: The European Commission published an incident notice for travelers in its Erasmus+ youth rail pass initiative, stating that unauthorized access occurred within Eurail’s IT systems and that the number of affected people was not known at that stage
   
3. January 14, 2026: Media reporting said affected customers started receiving emails on January 13, 2026, and it summarized the categories of data in those notifications
   
4. January 15, 2026: SecurityWeek reported Eurail’s disclosure and said the breach impacted pass holders and people who made seat reservations, with the number of affected individuals still unknown
   
5. January 19, 2026: Eurail’s support FAQ said potentially involved data relates to customers issued a Eurail pass or those who made a seat reservation, including purchases through partner channels
   
6. February 13, 2026: Eurail updated its public statement and said it confirmed certain customer data had been offered for sale and that a sample dataset had been posted on Telegram
   
7. February 16, 2026: BleepingComputer reported Eurail’s update and said Eurail was still trying to determine the number of affected customers and record types involved
   
8. February 17, 2026: SecurityWeek reported that hackers were offering Eurail data for sale and repeated the attackers’ claim that the stolen data totals roughly 1.3TB
   
9. February 18, 2026: Cybernews reported a forum post that claimed 1.3TB of Eurail data and described samples that appeared to include passenger identity and pass details
   

What Data Or Systems Were Affected

Eurail said its early review suggests the accessed data may include customer order and reservation information, including basic identity and contact details, plus travel companion information where applicable.

Eurail also said passport information may be involved in some cases, including passport number, country of issuance, and expiry date, and it said it does not store bank or credit card information for direct purchases and does not keep visual copies of passports for those purchases.

For travelers in the Erasmus+ youth rail pass initiative, the European Commission said potentially affected data may include passport or ID information or photocopies, postal and email addresses, phone number, bank account reference (IBAN), and health data.

Who Was Responsible (Confirmed Vs Alleged)

Eurail has not publicly named a threat actor, and its public update focused on investigation status, customer notifications, and monitoring of dark web forums rather than attribution.

Security reporting attributed the 1.3TB figure and the “AWS S3, Zendesk, and GitLab” claims to the attackers’ statements, and Eurail has not publicly validated the dataset size or the specific internal platforms referenced in those criminal claims.

How The Attack Worked

Eurail has not published technical details on initial access, persistence, or the specific vulnerability, and its statement describes a breach that resulted in unauthorized access followed by containment and a forensic investigation supported by external specialists.

Attackers claimed the stolen material includes data pulled from cloud storage and internal tooling, and SecurityWeek and Cybernews reported those claims as including AWS S3 data, Zendesk support tickets, and GitLab source code, alongside threats to publish data if no buyer appears.

Impact and Risks for Customers

Eurail and the European Commission warned that the most likely near-term risks include phishing, spoofing, unauthorized account access attempts, and identity theft.

Eurail said some accessed data was copied from its database, and it encouraged customers to remain alert for unexpected communications requesting personal information while stating that Eurail will not request sensitive information through unsolicited contact.

Company Response And Customer Remediation

Eurail said it reported the incident to a data protection authority under GDPR requirements and is notifying other relevant data protection authorities outside the EU as required by law.

Eurail said it will inform customers directly where contact details are available, and its support FAQ says customers who do not receive communication from Eurail or their point of purchase are not affected.

Eurail advised customers to update their Rail Planner app password, consider changing passwords linked to email and other accounts, and monitor bank accounts for unusual transactions.

Government, Law Enforcement, And Regulator Actions

The European Commission said it is following the investigation closely and that Eurail has taken steps that include securing affected systems, resetting access credentials, and working with relevant authorities as required by law.

Eurail said it reported the incident to a data protection authority in line with GDPR requirements and stated that notifications to other authorities outside the EU are in progress.

Financial, Legal, And Business Impact

Public statements and the EU notice reviewed here did not provide a confirmed count of affected individuals, a confirmed dataset size, or a quantified financial impact estimate, and reporting has emphasized uncertainty on total scope while the investigation continues.

Criminal sale postings and the 1.3TB claim suggest extortion pressure through data resale and threatened publication, but those claims remain attacker assertions rather than verified forensic totals.

What Remains Unclear About the Breach

• Eurail has not confirmed the root cause.
  
• Eurail has not confirmed the intrusion start time.
  
• Eurail has not confirmed the detection time.
  
• Eurail has not confirmed the total number of affected customers.
  
• Eurail has not finalized which data categories and records were involved.
  
• Eurail has not verified claims tied to AWS S3.
  
• Eurail has not verified claims tied to Zendesk.
  
• Eurail has not verified claims tied to GitLab.
  
• Eurail has not verified the 1.3 TB dataset claim.
  
• Eurail has not confirmed whether the claims reflect the full scope of copied data.
  
• Public reporting treats the seller’s details as unverified allegations.
  

Why This Incident Matters

The incident shows how travel-reservation and identity-check workflows can place passport metadata and linked itinerary context at risk, which can materially raise identity-fraud and targeted phishing exposure.

The public confirmation that some copied customer data is being offered for sale adds urgency for affected travelers, since resale markets can fuel repeated scam campaigns even when direct financial card data is not part of the compromised records.

Bright Defense: Pen Tests and Continuous Compliance That Reduce Travel-Data Exposure

Bright Defense can reduce risk in incidents like Eurail through penetration tests that focus on web app and API access controls around booking, seat reservations, and customer portals, plus assessments of cloud storage access paths, support-ticket tooling access, and source-code repository permissions that attackers often target in extortion cases. Continuous compliance programs can keep access reviews, logging coverage, incident response readiness, and vendor risk checks current, with SOC 2 control evidence that supports faster, more defensible response when a third party, regulator, or partner requests proof of security control operation after a breach.

Sources

1. Eurail — Data security incident updated release (February 13, 2026)
   https://www.eurail.com/en/ni/data-security-incident

2. Interrail — Data security incident updated release (February 13, 2026)
   https://www.interrail.eu/en/ni/data-security-incident

3. European Youth Portal — UPDATED: Data security incident affecting EU youth-pass travelers (January 13, 2026)
   https://youth.europa.eu/news/updated-data-security-incident-affecting-discovereu-travellers_en

4. Eurail Knowledge Base — Which customers may be affected (January 19, 2026)
   https://eurail.zendesk.com/hc/en-001/articles/33099658786589-Which-customers-may-be-affected

5. BleepingComputer — Eurail says stolen traveler data now up for sale on dark web (February 16, 2026)
   https://www.bleepingcomputer.com/news/security/eurail-says-stolen-traveler-data-now-up-for-sale-on-dark-web/

6. SecurityWeek — Hackers offer to sell millions of Eurail user records (February 17, 2026)
   https://www.securityweek.com/hackers-offer-to-sell-millions-of-eurail-user-records/

7. SecurityWeek — Traveler information stolen in Eurail data breach (January 15, 2026)
   https://www.securityweek.com/traveler-information-stolen-in-eurail-data-breach/

8. TechRadar — Eurail confirms stolen traveler data is on sale on the dark web (February 17, 2026)
   https://www.techradar.com/pro/security/eurail-confirms-stolen-traveler-data-is-on-sale-in-the-dark-web-and-it-still-doesnt-know-who-is-behind-the-attack

9. The Register — Eurail passenger data breach spills passport and bank details (January 14, 2026)
   https://www.theregister.com/2026/01/14/eurail_breach/

10. Cybernews — 1.3TB of alleged Eurail passenger data is now for sale (February 18, 2026)
    https://cybernews.com/security/eurail-data-breach-passenger-data-sale/

11. Cadena SER — Interrail platform warns of theft of sensitive customer data (January 14, 2026)
    https://cadenaser.com/nacional/2026/01/14/la-plataforma-de-billetes-de-interrail-avisa-del-robo-de-datos-sensibles-de-sus-clientes-cadena-ser/