Eurail B.V. Data Breach Exposes Data of 308,777 Users

Eurail B.V., a Netherlands-based travel company that operates the official online sales channel for Eurail and Interrail rail passes for train travel across Europe, disclosed a data breach that affected approximately 308,777 individuals in the United States, including 242 New Hampshire residents. The breach took place between late December 2025 and early January 2026.

Eurail reported the breach to attorneys general in California, New Hampshire, Oregon, and Vermont starting on March 27, 2026. Eurail began notifying consumers on March 27, 2026.

The company also posted an updated notice about the incident via the European Youth Portal website.

What happened in the Eurail B.V. data breach

Upon identifing unusual activity within a segment of its network, Eurail began an investigation and found that an unauthorized actor had gained access to the network. The breach occurred over a period from Dec. 24, 2025, through Jan. 8, 2026.

During that window, the unauthorized actor transferred files from Eurail's network on Dec. 26, 2025. After discovering the unauthorized activity, Eurail reviewed the affected files to determine what personal information they contained.

On Feb. 25, 2026, Eurail completed its review and determined that the compromised files contained personal information belonging to consumers.

The categories of personally identifiable information exposed in the breach included names, surnames, dates of birth or age, passport or ID information (including photocopies), email addresses, postal addresses and country of residence, and phone numbers, bank account references (IBAN) and data concerning health.

Eurail B.V.'s response to the breach

Eurail B.V. mailed notification letters to affected individuals on March 27, 2026, via U.S. First-Class mail.

The company has set up a dedicated call center for people with questions about the breach. Affected individuals can call 1-833-319-9486, Monday through Friday, 8 a.m. to 8 p.m. Eastern, excluding major U.S. holidays. For non-U.S. inquiries, Eurail B.V. can be reached at its headquarters at Jaarbeursboulevard 286, 5th Floor, Utrecht, Netherlands, or by phone at +31-6-18641902.

Eurail recommends affected individuals to remain alert of suspicious messages or activity, especially requests for personal information. The company advised consumers never to share personal details with anyone who contacts them unsolicited or who claims to work for Eurail.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with Equifax (1-888-378-4329), Experian (1-888-397-3742) and TransUnion (1-833-799-5355) to make it harder for someone to open new accounts using stolen personal information.
• Request free credit reports at AnnualCreditReport.com and review them carefully for any accounts or inquiries that are not recognized.
• Monitor bank accounts and financial statements closely since bank account references were among the data involved, and report any unauthorized transactions to a financial institution right away.
• Contact the relevant passport-issuing authority to ask about reissuing a passport or ID document, since passport and ID information was part of the exposed data.
• Be cautious of phishing attempts that reference Eurail, Interrail or this breach by name, as scammers may try to use stolen details to send convincing emails, texts or phone calls.
• Report suspected identity theft to the Federal Trade Commission at IdentityTheft.gov or by calling 1-877-438-4338.