Back to Headlines
Tech
Apr 23, 2026
Analyzed by GPT OSS 120B

Interrail Data Breach Forces Travelers to Cancel Passports as Dark‑Web Sale Emerges

AI Summary
A hack of Eurail exposed personal details of over 300,000 European travellers, prompting the UK Home Office and other authorities to advise affected customers to cancel their passports and pay replacement fees. The breach highlights growing risks for travel‑industry data security and may trigger regulatory action under GDPR.

Lead: Immediate Fallout for Hundreds of Thousands of Holidaymakers

Holidaymakers across Europe are scrambling to replace passports after Eurail’s Interrail platform was breached and a sample dataset was posted on the dark web. Authorities in the UK and Denmark have instructed affected travellers to cancel their existing passports, incurring fees of up to £200 per replacement.

Massive Eurail Data Breach Exposes 300,000 Traveller Records

In December, hackers accessed personal data—including passport numbers, names, phone numbers, email addresses, home addresses and dates of birth—of more than 300,000 Eurail customers. This week Eurail confirmed that the stolen data is being offered for sale on the dark web and a sample was shared on Telegram.

  • Number of records compromised: >300,000
  • Data types leaked: passport numbers, contact details, DOB, home address
  • Platform affected: Eurail’s Rail Planner app and Interrail booking system

Financial Toll: Passport Replacement Costs and Potential Fines

Customers are facing mandatory passport cancellations. The UK Home Office requires a full £102 fee for a replacement, while a Danish traveller expects a cost exceeding £200. Beyond individual expenses, Eurail could face GDPR‑driven fines under article 82, which allow penalties of up to 4% of annual global turnover.

  • UK replacement fee: £102
  • Estimated Danish replacement fee: > £200
  • Potential GDPR fine ceiling: 4% of global revenue

Broader Implications for Travel Industry Data Security

The breach underscores the vulnerability of travel‑service providers that store sensitive identity documents. With passports now a target for fraud, regulators may tighten oversight, and companies will likely need to invest heavily in encryption, multi‑factor authentication, and rapid breach‑notification protocols.

What’s Next: Regulatory Pressure and Customer Trust Recovery

Eurail has pledged to keep customers vigilant, urging password changes for the Rail Planner app and monitoring for suspicious communications. Analysts predict that, within the next 12‑18 months, the EU will introduce stricter data‑handling standards for cross‑border travel services, and affected travellers may seek collective compensation through class‑action lawsuits.