Thousands of European travellers are dealing with the fallout from a data breach affecting Interrail pass provider Eurail — and for some, it’s going further than emails and password resets. In certain cases, individuals say they have been advised to consider cancelling and replacing their passports after their personal data was exposed online.
It’s an unusual and worrying development, and it raises bigger questions about how serious this breach could become.
What has been reported so far
The breach itself dates back to December 2025, when attackers accessed personal data linked to Interrail customers. According to Eurail, the compromised data may include:
- Full names
- Email addresses
- Phone numbers
- Home addresses
- Dates of birth
- Passport numbers.
Around 300,000 travellers across Europe are believed to be affected. At the time, the incident appeared contained. But the situation has since escalated.
Eurail has now confirmed that the stolen data is being offered for sale on the dark web, with a sample dataset also shared publicly on Telegram. That changes the risk profile significantly.
Why passports are now part of the issue
The involvement of passport data is what sets this breach apart. Unlike passwords, you can’t simply reset a passport number. And when combined with other personal details, it becomes far more sensitive.
In the UK, at least one affected individual was advised by the Passport Office to consider cancelling their passport to prevent potential misuse.
This is likely because the risks of passport misuse include:
- Passport details can be used in identity fraud attempts
- Combined data makes impersonation more convincing
- Once data is circulating online, control is limited.
The Home Office has said it’s ultimately up to individuals to decide whether to replace their passport, but any cost would not automatically be covered. A spokesperson said. “British passports incorporate modern security technologies to help keep ahead of any criminals who may attempt to forge or fake them.”
What travellers are saying
Reaction from those affected has been mixed, but there’s a clear theme of uncertainty. Some travellers say they feel pressured into replacing passports without clear guidance on whether it’s necessary.
Others are worried about timing, especially with summer travel approaching. There are also growing questions around compensation, particularly given the potential costs involved.
Eurail’s current guidance focuses on reducing immediate risk rather than replacing documents.
Customers have been told to:
- Stay alert for suspicious emails, calls or messages
- Update passwords across accounts
- Monitor financial and online activity.
The company says it is still notifying affected individuals and has prioritised those whose data appeared in the leaked sample.
How serious is this kind of breach?
Data breaches involving travel companies aren’t new, but the level of detail exposed here may increase the potential risk compared to more limited breaches.
On their own, pieces of personal data might seem low risk. But combined, they can be used to:
- Build convincing phishing scams
- Attempt identity theft
- Access or reset other accounts.
The addition of passport numbers increases that risk further, even if modern passports include security features designed to prevent direct misuse.
Could there be compensation?
Some affected travellers have already started asking whether they could claim compensation under data protection law.
Under UK GDPR, individuals may be entitled to compensation if:
- Their personal data was not properly protected
- They suffer financial loss or distress as a result.
Any claim would depend on the specific facts of the breach and its impact.
At this stage, we are not aware of any confirmed group action linked to this incident. But the situation is still developing. We will provide updates as they happen.
Join the Claim connects consumers with SRA-regulated lawyers. Keep an eye out for updates on any potential claim and possible eligibility checks/registration opportunities.
