Passport Numbers of 308,777 Eurail Customers Exposed in December Data Breach
What Happened – In late December 2023, hackers breached Eurail B.V.’s internal systems and copied data belonging to 308,777 travelers. A sample of the stolen dataset, including names and passport numbers, appeared on Telegram and was later listed for sale on dark‑web marketplaces. The breach also exposed source‑code, database backups and Zendesk support tickets.
Why It Matters for TPRM –
- Personal identifiers such as passport numbers can be leveraged for identity theft, fraud, and targeted social‑engineering attacks against both end‑users and partner organizations.
- The compromise of source code and support tickets reveals internal processes and potential vulnerabilities that could affect downstream services and third‑party integrations.
- Exposure of a large European travel‑pass provider highlights supply‑chain risk for any business that relies on Eurail data feeds, APIs, or the Discover EU program.
Who Is Affected – Travel & transportation operators, ticket‑ing platforms, loyalty‑program providers, and any downstream services (e.g., Discover EU) that consume Eurail data.
Recommended Actions –
- Review contracts and data‑processing agreements with Eurail and any subsidiaries to confirm breach‑notification obligations.
- Verify that personal‑data protection controls (encryption at rest, least‑privilege access) are in place for any shared datasets.
- Notify impacted customers, advise password changes for the Rail Planner app, and monitor for credential‑stuffing or phishing attempts using the leaked passport data.
Technical Notes – Attack vector not disclosed; likely a credential‑based intrusion or exploitation of an unpatched vulnerability. Stolen data includes passport numbers, full names, source code, database backups, and support‑ticket logs. Source: The Record