A major data breach has exposed the personal information of thousands of travelers, including names, email addresses, and passport details, on the dark web. The incident involves Eurail, a European railway company that provides the Interrail pass, which allows travelers to explore Europe by train.
In January, Eurail disclosed that it had been targeted by cybercriminals, who also attacked the EU’s DiscoverEU program. The company informed affected riders that some of the stolen data is now being sold on the dark web, an obscure part of the internet where illicit activities often take place. A sample dataset, which does not include actual personal information, was also found on Telegram, a platform frequently used by drug dealers and extremists.
Eurail stated in an email that they have secured their systems and are working with external cybersecurity experts to monitor the dark web. They are also in contact with relevant authorities. However, the company has not yet determined how many people were impacted by the breach.
Although Eurail reported to the Oregon Department of Justice in March that the personal information of 308,777 travelers was exposed, the exact number of affected individuals remains unclear. The company warned users to be cautious of suspicious phone calls, emails, or text messages asking for personal information. They advised customers not to share their details with anyone claiming to represent Eurail.
What Personal Data Was Stolen?
The Interrail pass offers a month of free travel on most slow trains across Europe and discounted journeys on high-speed trains. It has long been popular among young travelers seeking an adventure-filled trip across the continent.
However, hackers managed to access Eurail’s customer database and stole a range of personal information, including:
- Names
- Email addresses
- Dates of birth
- Country of residence
- Passport or ID copies
According to the Cyber Security Incident Database, cybercriminals stole 1.3 terabytes of data from Eurail’s Amazon S3 storage, Zendesk support system, and its repository on the open-source collaboration platform GitLab. The stolen data was reportedly claimed to be “millions” of customers’ information.
Aras Nazarovas, a senior information security researcher at Cybernews, described the stolen data as a “complete identity package.” He warned that hackers could use this information to bypass KYC checks and gain access to victims’ bank accounts, open crypto exchange accounts, or take out loans in their names.
Risks and Consequences
Hackers have threatened to make the data public if an “offer” is not made, according to a screengrab obtained by Cybernews. The outlet also reported that travelers’ information is being sold on marketplaces on the surface web, the layer of the internet most people access daily.
The breach has raised concerns among travelers, many of whom are worried about the potential misuse of their personal information. One traveler, who did not wish to be named, expressed discomfort over knowing that their passport details and address are on the dark web. Another criticized Eurail for its response, stating, “Eurail says they ‘take security seriously’ – clearly not.”
How Much Is Your Data Worth?
Digital copies of passports and other documents are being sold on the dark web, with prices varying depending on the country. NordVPN, a cybersecurity company, found that digital copies of British passports typically sell for around £26. Physical passports from countries like the United States and Italy can fetch more than £1,100.
Marijus Briedis, chief technology officer at NordVPN, emphasized that all personal data has a price tag on the dark web. He noted that criminals no longer need to search through trash for shredded documents; instead, they can easily access and trade digital copies of sensitive information.
Eurail’s Response
Eurail has stated that it is actively notifying affected customers and providing them with details about the stolen data. A spokesperson said that the company immediately took steps to secure its systems and engaged external cybersecurity specialists and legal advisors. They have implemented additional security measures and continue to monitor their systems closely.
While the company has not provided a country-by-country breakdown of the breach, it expressed regret over any concern caused and reiterated its commitment to protecting customer data.
