European rail pass provider Eurail has confirmed that customer data stolen recently by hackers has been offered for sale.
The Netherlands-based company disclosed a data breach in mid-January, informing the public that the personal, order, and travel reservation information of customers who were issued a Eurail pass may have been compromised. Those who reserved a seat through Eurail may also be affected.
Eurail said at the time that hackers accessed systems storing basic identity and contact information, along with passport data.
In the case of individuals who received a DiscoverEU pass, compromised information can also include passport copies, health data, and bank account numbers.
In an update shared late last week, Eurail said the stolen data is up for sale on the dark web, with sample data shared on a Telegram channel.
“We are currently investigating which specific data records or how many of the affected customers this concerns,” the company said.
While Eurail says the data has been offered for sale on the dark web, SecurityWeek has also seen it on a surface web cybercrime site.
The hackers claim to have stolen roughly 1.3 TB of data from AWS S3, Zendesk, and GitLab instances.
According to the cybercriminals, the stolen data includes Eurail source code from GitLab, support tickets from Zendesk, and database backups from AWS S3.
The hackers claim the database backups include the personal information of “millions of Eurail/Interrail customers”, including names, dates of birth, phone numbers, email addresses, postal addresses, and passport information.
On their Telegram channel the hackers said negotiations with Eurail have failed and they plan on publicly releasing all the stolen data if they don’t find a buyer.
“If the company would like to prevent publication/sale of this data, they can resume negotiation,” they said.
Based on SecurityWeek’s analysis, several of the database files offered for sale appear to have between 50,000 and 17 million records.
Related: Dior, Louis Vuitton, Tiffany Fined $25 Million in South Korea After Data Breaches
Related: Dutch Carrier Odido Discloses Data Breach Impacting 6 Million
Related: Conduent Breach Hits Volvo Group: Nearly 17,000 Employees’ Data Exposed
