Eurail has disclosed a data breach that exposed customer information, including contact details and, in some cases, health-related data. The company said the incident affected a portion of its users and involved information submitted in connection with rail pass purchases and related customer services.
Eurail provides rail passes used by travellers to access train networks across multiple European countries. Customers typically use the service to plan trips, manage bookings, and receive support during travel. The company said the breach involved data connected to its customer systems rather than rail operators directly.
Eurail said the breach was identified after suspicious activity was detected in its systems. The company confirmed that an unauthorised party accessed customer information, including email addresses and other personal details. It said some exposed records also included health-related information that customers had provided voluntarily, such as details intended to support travel needs or accommodation requests.
The company said the compromised information did not include payment card data or login credentials. Eurail said payment-related systems were not affected and that it has not found evidence that financial information was accessed through the breach. The investigation is ongoing, and the company said it is working with external cybersecurity specialists to assess how the intrusion occurred and what data was affected.
Eurail said it is notifying affected customers directly by email. It has also provided guidance on steps users can take to reduce risk, including being cautious of unexpected messages and monitoring accounts for unusual activity. The company said it has set up support channels to assist customers who have questions about whether their information was involved.
Under European data protection rules, companies are required to report breaches that may pose a risk to individuals. Eurail said it has notified relevant authorities and is cooperating with any regulatory inquiries. It also said it has reviewed its security controls and is implementing additional safeguards following the incident.
The breach has renewed attention on the risks associated with storing sensitive personal information, particularly health-related data that may not be essential for basic service delivery. Eurail said it will provide further updates as its investigation continues.