Eurail BV has confirmed that some customer data impacted by the previously reported security incident has been offered for sale on the dark web and a sample data set has been posted on Telegram.
The company said it is continuing to investigate the scope and impact.
Last month, the company revealed that it had experienced a data breach when bad actors accessed its customer database, which exposed sensitive information such as full names, passport numbers, ID numbers, bank account IBANs, health data, and contact information (email and phone numbers).
“We have become aware that the data has been offered for sale on the dark web and a sample data set has been published on Telegram. We are currently investigating which specific data records or how many of the affected customers this concerns,” the company said in a statement.
The ongoing investigation will provide information on the exact categories of personal data that are involved. Some of the data accessed has also been copied from the database.
However, at this point, the investigation has not revealed any information on what specific data this is about. External cybersecurity experts will continue to monitor the dark web forums.
The incident has been reported to the data protection authority as is required by the European Union GDPR regulations, and Eurail BV is in the process of notifying all other relevant data protection authorities outside of the EU.
“Customers whose data may have been accessed and published will be informed directly where contact details are available to us. Preventing and mitigating any potential negative consequences for our customers is our highest priority. We encourage customers to remain vigilant for any suspicious or unexpected communications requesting personal information, including phone calls, emails or text messages,” the statement continued.
The Impact is Felt in the Long Tail
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented: “Eurail’s disclosure is not unique, but it’s worth remembering that the real impact of breaches is felt in the long tail. Once personal data is exposed, the risk shifts from “IT incident” to sustained fraud and impersonation. Organisations can’t treat notification as a compliance exercise, and they need to be clear, specific, and timely so people can take meaningful protective steps.”
From a human angle, Malik said travellers and younger users are especially vulnerable to follow‑on social engineering: convincing “refund”, “ticket reissue”, and “verification” scams thrive on partial personal details”.
In terms of the latest developments, Malik added: “It’s most unfortunate when stolen data ends up for sale. It makes the breach all the more real with fraud, impersonation, and targeted social engineering attacks becoming far more likely.”
In these instances, he said the organization should assume the data is being actively exploited and not just exposed. “This makes it vital that organisations reach out to affected parties with actionable guidance quickly.”
For others, Malik said it is a reminder to reduce the amount of data that is collected and retained and treat sensitive personal information with the security it deserves”.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.