Transport (NL/EU)

Eurail began issuing breach notifications to 308,777 customers in late April 2026, three months after the December 2025 incident in which an attacker accessed personal data including passport numbers, IBANs, and DiscoverEU pass details. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach; the regulatory review focuses on that compliance gap (daily 2026-05-08). The exposed dataset covers EU member-state travellers who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected.