Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week.
The European travel company, also known as Interrail to EU residents, initially posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13.
While the company's investigation is ongoing, it revealed the data potentially affected includes:
Customers who purchased a travel pass directly from Eurail/Interrail did not have a visual copy of their passports stored on company systems.
However, the same is not true for those who received a pass through the DiscoverEU program, an Erasmus-funded initiative that invites travelers to explore the EU by rail.
The European Commission published a separate notice about the Eurail breach, saying that in addition to the data specified in the company's email, DiscoverEU travelers may also have photocopies of their IDs, bank account reference numbers, and health data compromised.
"To our knowledge, there is currently no evidence that the data has been misused or publicly disclosed," it stated. "Eurail reassured the Commission that this is consistently being monitored by external cybersecurity specialists.
"However, as a result of this incident, possible consequences for you may include: phishing and spoofing attempts, unauthorized access, and identity theft."
Eurail promised the Commission it has secured the affected systems and "closed the vulnerability," as well as reset credentials and enhanced its security controls following the breach.
Additionally, the Utrecht-headquartered company confirmed the breach was reported to the Dutch data protection authority, as required by GDPR.
Eurail said: "Customers whose data may have been accessed will be informed directly. We take the security of our customers' information seriously and regret any concern this incident may cause."
The emails sent to affected customers, seen by The Register, include details about how to spot potential scams that use data stolen during the attack, and advise users to change their passwords for all accounts, not just the one used for the Rail Planner app. ®
Source: The register