"While the company's investigation is ongoing, it revealed the data potentially affected includes: First and last names Dates of birth Genders Email addresses Home addresses Telephone numbers Passport numbers Passport issuing country Passport expiration date Customers who purchased a travel pass directly from Eurail/Interrail did not have a visual copy of their passports stored on company systems. However, the same is not true for those who received a pass through the DiscoverEU program, an Erasmus-funded initiative that invites travelers to explore the EU by rail. The European Commission published a separate notice about the Eurail breach, saying that in addition to the data specified in the company's email, DiscoverEU travelers may also have photocopies of their IDs, bank account reference numbers, and health data compromised."
""To our knowledge, there is currently no evidence that the data has been misused or publicly disclosed," it stated. "Eurail reassured the Commission that this is consistently being monitored by external cybersecurity specialists. "However, as a result of this incident, possible consequences for you may include: phishing and spoofing attempts, unauthorized access, and identity theft." Eurail promised the Commission it has secured the affected systems and "closed the vulnerability," as well as reset credentials and enhanced its security controls following the breach."
Eurail confirmed that customer information was stolen in a data breach, with notifications sent to affected customers beginning January 13 after an initial post on January 10. Potentially affected data includes names, dates of birth, genders, email and home addresses, phone numbers, passport numbers, issuing country, and passport expiration dates. Passengers who obtained passes via DiscoverEU may also have photocopies of IDs, bank account reference numbers, and health data exposed. Eurail reported no current evidence of misuse or public disclosure, secured affected systems, closed the vulnerability, reset credentials, enhanced security controls, and reported the incident to the Dutch data protection authority under GDPR.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]