European travel company, Eurail BV, also known as Interrail to EU residents, has suffered a data breach in its systems that led to unauthorized access to customer data.
The organizations initially announced the news on 10 January, however, affected customers, the number of which has not been disclosed, started receiving emails on 13 January.
“Following the discovery, we immediately began work to secure our systems and initiated an investigation with the support of external cybersecurity specialists and legal advisors,” the company said.
Interrail said it is taking the matter “very seriously” and is conducting a full investigation to determine the scope of the incident and its potential impact on customers.
“The investigation is still ongoing,” it added. “Our early review suggests that the data involved may include customer order and reservation information, including basic identity and contact details. Where provided, it might also include your passport information, like passport number, country of issuance or expiry date.”
It assured customers who purchased their Pass from Eurail B.V. that it does not store a visual copy of their passports.
The investigation will need to clarify the specific categories of personal data involved and, where technically feasible, the extent to which personal data may have been copied from its customer database. At this stage, the comapny said there is no evidence that the data has been misused or publicly disclosed.
This will be closely monitored by external cybersecurity specialists.
“The incident has been reported to the data protection authority in line with European Union GDPR requirements, and we are in the process of notifying all other relevant data protection authorities outside of the EU (as required by law),” Interrail added.
Affected customers will be informed directly where their details are available to Interrail. “We take the security of our customers’ information seriously and regret any concern this incident may cause.”
Customers can refer to the FAQs available via Eurail’s customer support centre, or contact [email protected]
In a separate notice, the European Commission said that in addition to the data specified in the company’s email, DiscoverEU travelers may also have photocopies of their IDs, bank account reference numbers, and health data compromised.
As a result of this incident, possible consequences for customers may include phishing and spoofing attempts, unauthorized access, and identity theft, the Commission said.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said: “Eurail’s disclosure is not unique, but it’s worth remembering that the real impact of breaches is felt in the long tail. Once personal data is exposed, the risk shifts from “IT incident” to sustained fraud and impersonation. Organisations can’t treat notification as a compliance exercise, and they need to be clear, specific, and timely so people can take meaningful protective steps.”
From a human angle, Malik said travellers and younger users are particularly vulnerable to follow‑on social engineering: convincing “refund”, “ticket reissue”, and “verification” scams thrive on partial personal details”.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.