A data breach at the Netherlands-based company that sells Eurail (Interrail) train passes resulted in the compromise of personal and sensitive information belonging to an as-yet unknown number of travelers.
What data was accessed?
Eurail B.V. operates on behalf of a consortium of European railway companies, and sells single (usually multi-day) passes that let travelers explore Europe by train without having to buy individual tickets.
The company acknowledged the breach with a public statement on January 10 and soon after began sending data breach notification email to affected customers.
“The ongoing investigation should provide more information about the precise categories of personal data which are involved and to what extent personal data has also been copied from our customer database,” the company said, but noted that initial findings point to attackers have gained access to customers’:
- First and last name, date of birth, gender
- Email address, home address, and phone number
- Passport or ID number, country of issue and expiration date.
“The data potentially involved relates to customers who were issued a Eurail pass or made a seat reservation with Eurail. This includes customers who may have purchased a Eurail or Interrail Pass through one of our partner channels or distributors,” the company stated in a public FAQ section.
DiscoverEU participants under the EU’s Erasmus+ program may have had additional data compromised, the European Commission said: attackers might have compromised their bank account number (IBAN), photocopies of their passport/ID, and some health-related data.
While Eurail B.V. hasn’t said how the attackers gained access to their IT systems and databases, the European Commission’s notification mentioned that the company secured the affected systems and closed the vulnerability.
Minimizing the fallout
“At this time, we have no evidence that customer data has been misused or publicly disclosed. This is monitored by the external cybersecurity specialist on an ongoing basis,” Eurail B.V. also stated.
“The ongoing investigation will need to provide more information about the precise categories of personal data which are involved and, where technically possible, to what extent personal data has also been copied from our customer database. Customers whose data may have been accessed will be informed directly where contact details are available to us.”
In the meantime, the company has reset access credentials and asked customers to set up a new password for their account, and to be on the lookout for phishing attempts and identity theft.
“Criminals may attempt to misuse your data. Therefore, we advise you to remain extra vigilant for unexpected or suspicious phone calls, emails, or text messages asking you for personal information. If in doubt, never share your information with someone who contacts you unsolicited or claims to work for Eurail,” the data breach notice explains.
“The general recommendations in data breach cases are also to change passwords linked to your email address, social media, and banking, for example, and to pay particular attention to any unusual transactions in your bank account and report them to your bank immediately.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!