Interrail passengers across Europe have been warned that data accessed during a security breach has been leaked on the dark web.
Passport and identification card numbers, contact details, bank account references and health data were accessed during a security breach of Eurail BV’s systems, the company that sells Interrail passes for train travel across Europe.
The company said it has concluded its investigation and is now in the process of informing customers whose personal data was accessed.
Eurail first announced details of the breach, which has affected more than 300,000 travelers, in December. It has now been revealed that the data taken during the breach has been offered for sale on the dark web, with a sample dataset published on Telegram.
The company says it does not store bank or credit card information, nor does it keep a visual copy of passports of those who purchased a pass from Eurail.
It costs £102 to replace a passport in the UK. The Home Office told The Independent: “Where a passport holder has been informed of a data breach involving their passport details, it remains for them to determine whether they wish to replace that passport.”
“British passports incorporate modern security technologies to help keep ahead of any criminals who may attempt to forge or fake them.”
The breach has also affected 18-year-olds who received a pass through the European Union’s DiscoverEU programme, which is giving away 40,000 Interrail passes this year to residents of EU member states or countries associated with Erasmus+.
In a statement, DiscoverEU said identification information, including photocopies, could have been breached, but it does not know how many people will have been affected.
It added that there is currently no evidence that the data has been misused or publicly disclosed, but that Eurail said external cybersecurity specialists are consistently monitoring the situation.
DiscoverEU is not available to British citizens, but will be available through the Erasmus+ scheme in 2027.
In a statement, Eurail and DiscoverEU said: “Preventing and mitigating any potential negative consequences for our customers is our highest priority.”
“We encourage customers to remain vigilant for any suspicious or unexpected communications requesting personal information, including phone calls, emails or text messages.
“Eurail will never request sensitive information through unsolicited contact. As a precautionary measure, customers are advised to update their Rail Planner app password and consider changing passwords linked to their email, social media and banking accounts.
“Customers should also monitor their bank accounts for unusual transactions and report any concerns to their bank immediately.”
Some customers said they are asking for compensation from Eurail to change their passports.
“I’ve emailed them again asking they’d reimbursed the costs for a new passport because their leak is the first time ever my passport number has been leaked,” one person wrote on Reddit.
Others are confused as to what to do if their passport data has been leaked.
“Am I meant to apply for another passport now? I got an email today saying all my data has been put up for sale on the dark web, but I don’t have a clue what I’m meant to do,” another wrote.
The Independent has contacted Eurail for comment.
Read more: What is Interrailing? Everything you need to know about passes, routes and more
