Data security incident (updated release)

Utrecht, The Netherlands, 9 March 2026

Update 9 March 2026: Eurail B.V. has concluded its investigation into the previously reported security incident and is in the process of contacting customers whose personal data has been accessed.

Eurail B.V. has unfortunately experienced a security breach within its systems that resulted in unauthorized access to customer data. Following the discovery, we immediately began work to secure our systems and initiated an investigation with the support of external cybersecurity specialists and legal advisors.

The investigation into the full scope of the incident and its potential impact on customers, which include participants of the European Commission’s DiscoverEU action, has now concluded. We are now in the process of informing customers whose personal data was accessed and copied from our customer database directly where contact details are available to us.

In addition, we have learned that data copied during the security incident has been offered for sale on the dark web and a sample dataset has been published on Telegram. Customers whose personal data was included in the sample dataset will be informed directly where contact details are available to us.

We have secured our systems and are continuing to work with external cybersecurity specialists. We also remain in contact with the relevant authorities.

The incident has been reported to the data protection authority in line with European Union GDPR requirements, and we have notified other relevant data protection authorities outside of the EU (as required by law).

As a standard procedure, if you purchased your Pass from Eurail B.V., we do not store bank or credit card information, nor do we keep a visual copy of your passport. For customers who received a Pass as part of the DiscoverEU programme, please refer to this statement.

Preventing and mitigating any potential negative consequences for our customers is our highest priority. We encourage customers to remain vigilant for any suspicious or unexpected communications requesting personal information, including phone calls, emails or text messages. Eurail will never request sensitive information through unsolicited contact. As a precautionary measure, customers are advised to update their Rail Planner app password and consider changing passwords linked to their email, social media and banking accounts. Customers should also monitor their bank accounts for unusual transactions and report any concerns to their bank immediately. Further guidance on recommended steps customers can take to protect themselves is available via Eurail’s customer support centre.

We take the security of our customers’ information seriously and regret any concern this incident may cause.

For customer questions, please refer to the FAQs available via Eurail’s customer support centre, or contact privacyhelp@eurail.com.

Updated 9 March 2026