Eurail wanted people’s passport number to let them ride a train. Now that data is for sale on the dark web, and some of the 308,777 people caught up in the breach are being told to cancel their passports and pay for replacements out of their own pocket.
The Dutch company, which sells the Interrail passes used by young travelers across 33 European countries, confirmed this week that a sample of the stolen dataset has already surfaced on Telegram.
“We can confirm that data copied during the security incident has been offered for sale on the dark web and a sample dataset has been published on Telegram,” a spokesperson said. “Customers whose personal data was included in the sample dataset are being informed directly where contact details are available to us.”
The full haul contains exactly the material identity thieves dream about, including passport numbers, passport expiry dates, full names, home addresses, email addresses, phone numbers, and dates of birth. For users of the EU’s DiscoverEU program, which hands out free travel passes to young people, the exposed records also include photocopies of passports, bank account details, and some health data.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
The breach happened on December 26, 2025. Eurail only began notifying affected individuals on March 27, 2026, three months after hackers walked out with the files and a full month after the data appeared on a cybercrime forum.
In February, a hacker claimed responsibility publicly, saying they had stolen roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances, including source code, database backups, and support tickets. The same hacker said negotiations with Eurail had failed, which is why the files were being dumped.
None of this was information Eurail needed to sell a train ticket. Rail operators ran Europe’s networks for decades without demanding scanned passports and dates of birth from every customer. The identity-verification stack that now sits behind a simple rail pass exists because identity checks have become the default business model, not because anyone can explain why selling a seven-day Interrail pass requires a permanent copy of someone’s government-issued ID.
The Eurail breach is a working demonstration of what happens when governments treat identity collection as the default setting for ordinary life. The UK is moving toward a mandatory digital ID scheme. The EU is rolling out its European Digital Identity Wallet.
Online Safety Act compliance in Britain now requires “age verification” across huge swathes of the web, with platforms demanding government IDs, face scans, or credit card details before users can access content that was freely available a year ago.
Every one of these systems rests on the same assumption that sank Eurail’s customers, which is that identity data can be collected safely, stored securely, and kept out of the wrong hands indefinitely.
That assumption has never held up. The pattern is consistent enough now to be predictable. A government or regulator decides identity verification should be mandatory for some activity, whether that is buying a train ticket, watching adult content, opening a bank account, or posting on social media. Private companies build the verification infrastructure, because governments rarely build their own.
Those companies then hold databases of passport numbers, biometric scans, and home addresses, secured according to whatever corporate security practices happen to be in place. The databases get breached, because databases always get breached, and the consequences fall on the people whose data was collected rather than the entities that insisted on collecting it.
