Travellers across Europe are being advised to replace their passports after the Interrail company Eurail suffered a massive data breach. The hack has resulted in the personal data of over 300,000 people being posted on the dark web, authorities say.
The information harvested and now being doxxed includes people’s names, email and home addresses, passport details, phone numbers, and dates of birth. The breach was reported in December 2026, but Eurail has only this week made public that the stolen records have “been offered for sale on the dark web and a sample dataset has been published on Telegram.”
Eurail, a Netherlands-based firm, is perhaps best-known for the bargain Interrail passes it offers to young people for intra-European train trips, such as week-long passes valid in 33 countries for less than €300. But rail travellers of all ages can also purchase their tickets. The concept originated with the growth of the railways in the late 19th century and was promoted as a tool for forging European unity, shared identity, and borderless travel after World War II.
Now, though, its relationship to the idea of “shared identity” has taken on a different, more sinister connotation, as Interrail customers fear they could have their identities cloned for defrauding purposes. Gerard Tubb, 64, from Yorkshire, UK, told The Guardian: “The concern is what can people do with that amount of information. It seems an awful lot – everything to persuade someone they are me.”
Eurail has advised victims of the hack to be vigilant about suspicious calls, emails, or texts requesting more personal details. Meanwhile, adding insult to injury, official sources such as the UK Passport Office have advised those affected to cancel and replace their documents—a process the Home Office has confirmed victims will have to pay for themselves. Critics suggest there should be some help or compensation, but as yet, there is none forthcoming.
Eurailでデータ流出ぽいね
— ゆくら (@Isurugi_1375) April 21, 2026
名前や電話番号、パスポート番号が流出したほか、
ダークウェブやテレグラムで取引されてるらしい pic.twitter.com/ebWdqNJgA5
“Where a passport holder has been informed of a data breach involving their passport details, it remains for them to determine whether they wish to replace that passport,” a spokesperson said. “British passports incorporate modern security technologies to help keep ahead of any criminals who may attempt to forge or fake them.”
The breach includes the data of 18-year-olds who were awarded Interrail passes via the European Union’s DiscoverEU programme, a scheme that gifts 40,000 Interrail passes to young EU residents and Erasmus+ students, turning them into cultural and travel ambassadors for the bloc. In a statement, DiscoverEU said the young people’s ID, including photocopies, could have been hacked, but it cannot yet say how many people are affected.
