Over 300,000 Interrail Users Told to Cancel Passports After Dark Web Data Sale

A December cyberattack on Eurail BV systems compromised the personal data of over 300,000 Interrail passengers, with stolen details, including passport numbers, now offered for sale on the dark web. Affected individuals have received advisories, with some governments recommending passport cancellation.

In December, Eurail BV, the company behind Interrail passes, experienced a significant cybersecurity breach. This incident exposed sensitive personal information belonging to a large number of its customers. Eurail has concluded its investigation and is in the process of notifying all affected individuals.

Over 300,000 passengers were impacted by this breach. The compromised data includes passport and identification card numbers, contact details, bank account references, and health data. Following the exposure, this stolen information appeared for sale on the dark web, a part of the internet not indexed by standard search engines and often used for illicit activities.

Several governments have begun advising their citizens to take precautionary measures. The UK Passport Office, for example, instructed at least one individual to cancel their passport to prevent fraudulent use, requiring a full £102 fee for a replacement. Similarly, an affected passenger in Denmark reported being advised to cancel their passport, with replacement costs potentially exceeding £200. This has left some customers uncertain about the severity, with one stating, "I genuinely have no idea how serious this is."

The breach also affected participants in the European Union's DiscoverEU program, which distributes Interrail passes to 18-year-olds. While British citizens are not currently eligible for DiscoverEU, the program will extend to them via Erasmus+ in 2027.

### What Defenders Should Do

The incident underscores the need for robust data protection measures. For organizations like Eurail, continuous vulnerability scanning and penetration testing, aligned with frameworks such as NIST SP 800-53 or ISO 27001, are crucial to identify and remediate weaknesses before exploitation. Implementing multi-factor authentication (MFA) across all user accounts and encrypting sensitive data at rest and in transit can significantly reduce the impact of a breach.

For affected customers, Eurail and DiscoverEU advise immediate actions. These include updating Rail Planner app passwords and considering password changes for linked email, social media, and banking accounts. Monitoring bank accounts for unusual transactions is also recommended. Customers should remain vigilant for suspicious communications, as Eurail will not request sensitive information through unsolicited contact. Organizations experiencing similar breaches should prioritize transparent communication with affected parties and offer clear guidance and support, including potential compensation for costs incurred due to the breach.

### What to Watch Next

The long-term impact on affected individuals, particularly regarding identity theft and financial fraud, will become clearer as time progresses. The response from regulatory bodies regarding data protection compliance and any potential financial liabilities for Eurail will be key developments to observe.