Data leak
Eurail B.V. AWS S3/Zendesk/GitLab Breach - 308K Travelers
Primary Source βIncident Details
On December 26, 2025, an unauthorized actor exfiltrated data from Eurail B.V.’s (European rail pass operator covering 33 national railways) AWS S3, Zendesk, and GitLab instances. Eurail identified the breach on February 25, 2026 and notified 308,777 affected individuals on March 27. Exposed data included names and passport numbers for most customers; DiscoverEU program participants had additional data exposed including ages, passport photocopies, addresses, bank account numbers, and some health data. Eurail notified EU data protection authorities under GDPR and advised password resets and vigilance against phishing.
Technical Details
- Initial Attack Vector
- Unauthorized actor transferred files from Eurail's AWS S3 buckets, Zendesk instance, and GitLab repositories on December 26, 2025; initial access vector not disclosed
- Vendor / Product
- Amazon Web Services S3; Zendesk; GitLab
Timeline
- 2025-12-26 Breach occurred
- 2026-03-27 Publicly disclosed
- 2026-03-27 Customers notified