Eurail/Interrail Data Breach: 300,000 Travellers Told to Cancel Passports as Data Dumped on Dark Web

A significant escalation in a December 2025 data breach at Eurail, the company behind the popular Interrail pass, has led to the personal data of 300,000 travellers, including passport numbers, being posted on the dark web. The UK's HM Passport Office has issued an urgent advisory for affected individuals to cancel their passports to prevent identity theft. This incident highlights critical vulnerabilities in travel data management and the escalating threat of targeted credential exposure.

The breach, initially disclosed in December 2025, involved unauthorized access to a database containing personal information of Interrail pass holders. At that time, the company stated that the data was encrypted and that no evidence of misuse had been found. However, in a dramatic turn of events, a threat actor has now dumped the decrypted data on a dark web forum, exposing full names, email addresses, dates of birth, and passport numbers of 300,000 travellers.

The HM Passport Office has confirmed that they are contacting affected UK residents directly, advising them to cancel their passports immediately. This is a precautionary measure to prevent identity theft and fraudulent travel document applications. The office has also set up a dedicated helpline for concerned travellers.

From a cybersecurity perspective, this incident underscores the importance of robust data protection measures for travel companies. The travel industry collects vast amounts of sensitive personal data, including passport information, making it a prime target for cybercriminals. The fact that the data was initially encrypted but later decrypted suggests that the encryption keys were compromised or that the data was stored in a way that allowed for decryption.

The breach also raises questions about the security practices of Eurail. The company has not disclosed the exact method of the initial breach or how the data was decrypted. However, security experts suspect that the attackers may have gained access to the encryption keys through a phishing attack or by exploiting a vulnerability in the company's systems.

The impact on travellers is severe. With passport numbers exposed, individuals are at risk of identity theft, fraudulent passport applications, and other forms of financial fraud. The HM Passport Office's advice to cancel passports is a significant step, but it will cause inconvenience and expense for affected travellers.

The incident serves as a stark reminder for all organizations handling sensitive personal data to implement strong encryption, multi-factor authentication, and regular security audits. The travel industry, in particular, must prioritize data security to protect its customers from such devastating breaches.