Eurail Data Breach Exposes 300,000+ Travelers; Hacker Boasts of 1.3TB Theft

A major data breach at European rail travel giant Eurail has compromised the personal information of over 300,000 individuals, escalating from an initial disclosure into a significant cybersecurity incident. The Netherlands-based company is now notifying affected customers that hackers infiltrated its network in December 2025, stealing files containing basic identity and contact details. This breach directly impacts travelers who were issued a Eurail pass, exposing them to potential fraud and phishing risks.

The scale of the intrusion became clearer in February when a hacker publicly boasted on a cybercrime forum about stealing approximately 1.3 terabytes of data from Eurail's cloud infrastructure. The stolen cache reportedly includes source code from GitLab, customer support tickets from Zendesk, and database backups from AWS S3 instances. The hacker's claims suggest the total number of compromised Eurail and Interrail customer records could be in the millions, far exceeding the current confirmed notification count.

The incident places Eurail under intense scrutiny for its data security practices, particularly its cloud storage configurations. The exposure of source code and database backups presents a severe risk, potentially enabling further attacks or exploitation of system vulnerabilities. This breach signals significant pressure on the travel and tourism sector to fortify digital defenses, as customer data becomes a prime target for cybercriminals. The company now faces the dual challenge of managing regulatory fallout and restoring traveler trust across Europe.