A well-resourced European rail pass company with a global customer base suffered a serious data breach on 26 December 2025. Breach notification letters did not reach affected individuals until 27 March 2026 — three months after the unauthorised actor had already walked out of the network with everything they came for. If that timeline feels uncomfortable, it should. Three months is a long time for stolen passport data to be in circulation before the people it belongs to have any reason to be on guard.
The scale of the incident is significant. 308,777 individuals in the United States alone were affected, including customers who had purchased passes through partner channels rather than directly from Eurail. That detail matters: it means people were exposed through a company they may never have directly interacted with. Among those affected were 4,108 Texas residents, 242 New Hampshire residents, and 206 Vermont residents — each of whom triggered separate state-level notification obligations under their respective breach disclosure laws. Multiply that across multiple US states and European jurisdictions, and the regulatory and administrative burden becomes considerable before Eurail had addressed a single line of the underlying security problem.
In February 2026, a hacker publicly claimed responsibility for the attack, stating they had stolen 1.3 TB of data including source code, database backups, and Zendesk support tickets. According to the hacker’s account, Eurail declined to negotiate, at which point the attacker chose to go public. That sequence of events is instructive. The breach itself was damaging. The ransom refusal was arguably the right decision. But the outcome — public disclosure by the attacker, on the attacker’s timetable — meant Eurail lost control of the narrative entirely. The company was reacting to a hacker’s press release rather than managing its own communications.
What was actually stolen makes the fraud risk acute. The breach compromised the names and passport numbers of more than 308,000 individuals. The combination of stolen data increases the risk of identity theft, financial fraud, and long-term misuse. A name and a passport number together are not merely inconvenient — they are the foundation of impersonation. Both Eurail and the European Commission warned affected individuals about phishing, spoofing, unauthorised access attempts, and identity theft as a direct result of the passport details involved. Unlike a stolen password, a passport number cannot simply be reset.
What this means if your WordPress site holds customer data
Eurail is not a small operation running on a neglected server. The breach is a reminder that the underlying risk — an unauthorised intrusion that goes undetected, exfiltrates data at scale, and triggers regulatory obligations across multiple jurisdictions — is not unique to large enterprises. Any business that collects and retains customer data faces a version of this exposure. That includes businesses running WordPress sites with membership areas, booking systems, WooCommerce stores, or contact forms that feed into a CRM.
WordPress powers a significant proportion of the web, including a large number of serious business applications. Membership plugins, appointment booking tools, and e-commerce functionality all create databases of personal information. In many cases, business owners have little visibility into exactly what is being stored, where it is stored, or how long it is retained. A customer who books a service, creates an account, or makes a purchase may leave behind a record that sits in a database for years — and that record is a liability if the site is ever compromised.
The regulatory dimension is worth taking seriously. Under GDPR, a personal data breach must be reported to the relevant supervisory authority within 72 hours of becoming aware of it. In the United States, state breach notification laws vary in their thresholds and timelines, but the principle is similar: once you know, the clock starts. A three-month gap between intrusion and notification, as seen in the Eurail case, is not a viable position for most businesses — and the consequences of getting the notification process wrong add cost and legal exposure on top of the breach itself.
Treating security as a business continuity matter
The practical steps I recommend for any business running WordPress with customer-facing functionality are straightforward in principle, even if the implementation requires care:
- Audit what you collect. Review every form, plugin, and integration on your site and identify what personal data is being gathered and where it ends up.
- Minimise retention. If you do not need data beyond a certain point, delete it. Data you do not hold cannot be stolen.
- Restrict access. Limit which user accounts have access to sensitive data, and apply the principle of least privilege to admin roles.
- Monitor for intrusion. Logging and alerting tools can help identify unusual activity before an attacker has had three months to work undisturbed.
- Keep software current. The majority of successful WordPress compromises exploit known vulnerabilities in outdated plugins, themes, or core installations.
- Have a response plan. Know in advance who you would notify, and in what order, if you discovered a breach tomorrow.
The Eurail breach is a concrete illustration of how quickly an undetected intrusion can escalate. One unauthorised access event on 26 December produced mandatory regulatory notifications across multiple US states, warnings from the European Commission, and a public disclosure driven by the attacker rather than the company — all before most affected customers had any reason to be concerned. The data that made this possible was not exotic: names and passport numbers held in the ordinary course of running a travel business.
If you are running a WordPress site that collects personal data and you are not confident in what you hold, how it is protected, or what your obligations would be if it were compromised, that is the conversation to have now rather than after an incident. Get in touch with me at The WordPress Guy and I will help you understand where your exposure sits and what a proportionate hardening programme looks like for your business.
