European vacationers are dealing with the hassle and cost of obtaining new passports after their information appeared on the dark web due to a breach at Eurail, the company behind Interrail. In December, hackers accessed details such as passport numbers, names, phone numbers, emails, home addresses, and birth dates for over 300,000 travelers. This week, Eurail informed users that the stolen data is being sold on the dark web, with a sample shared on Telegram. The news has sparked frustration and uncertainty. The UK Passport Office advised at least one individual to invalidate their passport to avoid fraud, requiring payment of the full £102 replacement fee. A Danish customer reported having to cancel theirs, facing costs exceeding £200. One affected traveler, whose details were compromised along with a companion’s during a trip from Penzance to Naples last summer, described the situation as a major ordeal. She expressed alarm over the data sale and concerns about securing a new passport before upcoming trips. Remaining anonymous, she questioned the necessity of the expense and called for compensation if replacements are officially recommended. Eurail, based in the Netherlands, offers Interrail passes for rail journeys across Europe. A seven-day option covering 33 countries, from Norway’s north to Turkey’s south, is priced at €286 for those under 28, €381 for ages 28 to 59, and €343 for those 60 and older, with free travel for up to two children under 12 per adult. Gerard Tubb, a 64-year-old retired journalist from Yorkshire, had his information taken after purchasing passes for a trip to southern France with his wife. He voiced worries about potential misuse of the extensive data. This week, Eurail urged customers to watch for suspicious contacts requesting personal details and to change passwords for the Rail Planner app, email, social media, and banking. The company expressed regret for any distress caused by the breach. However, Tubb criticized the firm’s data security and the value of their apology, questioning who would handle any fallout from identity theft. On Reddit, one user studying abroad shared fears of being unable to replace their passport. Others discussed seeking collective compensation, with one referencing GDPR’s article 82 to demand reimbursement from Eurail’s CEO. Eurail and the Home Office were contacted for statements. Eurail noted it is still notifying victims but has reached those in the Telegram sample. A representative emphasized customer protection as the top priority, recommending vigilance, password updates, and account monitoring, while apologizing for the incident.
