Connor Jones reports:
Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week.
The European travel company, also known as Interrail to EU residents, initially posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13.
[…]
Customers who purchased a travel pass directly from Eurail/Interrail did not have a visual copy of their passports stored on company systems.
However, the same is not true for those who received a pass through the DiscoverEU program, an Erasmus-funded initiative that invites travelers to explore the EU by rail.
Read more at The Register.
The January 13 updated notice on Interrail’s site reads:
Eurail B.V. has unfortunately experienced a security breach within our systems that resulted in unauthorized access to customer data. Following the discovery, we immediately began work to secure our systems and initiated an investigation with the support of external cybersecurity specialists and legal advisors. We take this matter very seriously and are currently conducting a thorough investigation to determine the full scope of the incident and its potential impact on customers, which includes participants of the European Commission’s DiscoverEU action.
The investigation is still ongoing. Our early review suggests that the data involved may include customer order and reservation information, including basic identity and contact details. Where provided, it might also include your passport information, like passport number, country of issuance or expiry date. As a standard procedure, if you purchased your Pass from Eurail B.V. we do not store a visual copy of your passport. For customers who received a Pass as part of the DiscoverEU programme, please refer to this statement.
The ongoing investigation will need to provide more information about the precise categories of personal data which are involved and to what extent personal data has also been copied from our customer database. There is currently no evidence that the data has been misused or publicly disclosed. This is consistently being monitored by external cybersecurity specialists.
The incident has been reported to the data protection authority in line with European Union GDPR requirements, and we are in the process of notifying all other relevant data protection authorities outside of the EU (as required by law).
Customers whose data may have been accessed will be informed directly. We take the security of our customers’ information seriously and regret any concern this incident may cause.
For customer questions, please refer to the FAQs available via Eurail’s customer support centre, or contact [email protected]