A European railway company has confirmed that cybercriminals are selling stolen customer data, including passport copies, on the dark web. Eurail, which operates the Interrail pass, revealed in January that it had been hacked along with the EU's DiscoverEU program. The firm alerted affected riders on Tuesday that some of the stolen information is now being traded on the dark web, as reported in an email seen by Metro.
Details of the Data Breach
A sample dataset, which does not contain personal information, was also copied to Telegram, a platform often used by extremists and drug dealers. Eurail stated in the email: 'We have secured our systems and are continuing to work with external cybersecurity specialists and monitoring the dark web. We also remain in contact with the relevant authorities.' When questioned by Metro, Eurail said it is still investigating the number of affected individuals. However, the company reported to the Oregon Department of Justice in March that personal information of 308,777 travelers had been exposed.
What Information Was Stolen?
Cybercriminals accessed the company's customer database and stole names, email addresses, dates of birth, country of residence, and passport or ID copies. According to the Cyber Security Incident Database, hackers obtained 1.3 terabytes of data from Eurail's Amazon S3 storage, Zendesk support system, and GitLab repository. They claimed to have stolen 'millions' of customer records, according to Cybernews. A screengrab obtained by the outlet shows the hackers threatening to make the dataset public unless an offer is made. Additionally, traveler information is being sold on surface web marketplaces.
Customer Reactions
Riders expressed concern about their passports being sold on the dark web. One traveler, who purchased an Interrail ticket for July, said: 'I feel uncomfortable knowing that my personal details, especially my passport details and address, are on the dark web.' Another backpacker criticized Eurail's response: 'Eurail finished the email with “we take the security of your data seriously” – well, clearly not.' A third passenger questioned what steps to take: 'I’ve asked for more advice as to whether I need to consider a new passport. Seems they’ve been quite open with what’s happened, but I’m not clear who copied the data from their databases.'
Passport Copies Stored Differently
Customers who bought a travel pass directly from Eurail or Interrail do not have visual copies of their passports stored. However, those who purchased through the DiscoverEU program, an Erasmus-funded initiative, do have such copies on file.
Expert Insights on Dark Web Data Trade
Dark websites enable anonymous transactions, allowing marketplaces selling personal documents to thrive. NordVPN told Metro that digital copies of British passports are typically listed for about £26, while physical passports from countries like the US and Italy can fetch over £1,100. Marijus Briedis, chief technology officer at NordVPN, said: 'Dark web criminals are no longer fishing through your bins for ribbons of shredded documents. Digital copies of documents are readily available, much cheaper and easier to trade.'
Eurail's Response
Eurail stated it is 'actively in the process of notifying affected customers,' including specifics of the stolen data. A spokesperson said: 'Upon discovering the incident, we immediately took steps to secure our systems and engaged external cybersecurity specialists and legal advisors. We have implemented additional security measures and continue to monitor our systems closely. Preventing and mitigating any potential impact on our customers remains our highest priority.' The firm cannot provide a country-by-country breakdown at this stage and added: 'We regret any concern this incident may cause and remain committed to protecting our customers’ data.'
