An official website of the European Union An official EU website

This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.

Accept all cookies Accept only essential cookies
European Union European Union
English EN
EuropeanYouthPortal
Questions?

UPDATED: Data Security Incident affecting DiscoverEU travellers

Last updated on Tuesday, 13/01/2026

Dear DiscoverEU travellers, We regret to inform you that a personal data breach has occurred in the IT systems of our DiscoverEU supplier Eurail B.V. that may affect your personal information. Protecting your data is of crucial importance to us. We are committed to act in full transparency about this situation and we will take all measures at our disposal to minimise the impact of the incident.

Update - On behalf of the European Commission’s Directorate-General for Education, Youth, Sport and Culture and the European Education and Culture Executive Agency (EACEA), Eurail has contacted potentially affected DiscoverEU participants. 

What happened

The Commission was informed that Eurail B.V. experienced a security breach within their IT systems. This breach resulted in unauthorised access to Eurail B.V. data, including personal data of participants in the DiscoverEU action, financed under the Erasmus+ programme. The European Commission takes this matter very seriously. An investigation to determine the full scope of the incident with Eurail B.V. and its potential impact is ongoing.

According to Eurail B.V., the identity and exact number of persons affected is unknown at this stage. 

The Commission is closely following the ongoing investigation and working to ensure that all possible measures to mitigate the incident are taken.

What personal data may be involved

The personal data affected may include data that you have provided (where applicable):

  • name, surname, date of birth or age, passport/ID information or photocopies,
  • email address, postal address and country of residence, phone number,
  • bank account reference (IBAN),
  • data concerning health. 
What this means for you

To our knowledge, there is currently no evidence that the data has been misused or publicly disclosed. Eurail reassured the Commission that this is consistently being monitored by external cybersecurity specialists. 

However, as a result of this incident, possible consequences for you may include:

  • phishing and spoofing attempts,
  • unauthorized access,
  • identity theft.
What we are doing

Eurail B.V. has taken the following steps to address the incident and reduce any potential impact:

  • securing the affected systems and closing the vulnerability
  • resetting access credentials
  • enhancing monitoring and security controls
  • working with external cybersecurity specialists, including to monitor potential misuse of any data
  • continuing a detailed forensic investigation into the incident to determine the full scope of the issue and its potential impact on your data
  • cooperating with the relevant authorities, as required by law. 
What you can do

The general recommendations in data breach cases are the following:

  • Change passwords linked to your email address, social media, and banking for example,
  • Remain alert for suspicious and/or unsolicited emails or messages,
  • Be attentive not to share personal information with new contacts who approach you in the frame of the DiscoverEU programme, unless you are sure of their authenticity,
  • Pay particular attention to any unusual transaction in your bank account and report them to your bank immediately,
  • Report to the competent data protection authority any other suspicious activity if you think your personal data are used in a malicious way.
Contact information

DG EAC is the primary contact point for affected users of DiscoverEU at the following e-mail address:  EAC-DiscoverEU-Security@ec.europa.eu.

The European Data Protection Supervisor was notified about the personal data breach in accordance with the European Commission’s obligations under the applicable data protection legislation. 

We will keep you posted with updates on the incident on this website, as information becomes available.

We sincerely regret any inconvenience or concern this may cause and remain fully committed to protecting your personal data.

DiscoverEU users have the right to address the Data Protection Officer of the European Commission, if they consider that their rights as data subject, which they have exercised with DG EAC, are not being fully respected.

Name of the Data Protection Officer: Michelle SUTTON

Email: DATA-PROTECTION-OFFICER@ec.europa.eu

 

For more information, consult this list of Frequently Asked Questions

 


European Union logo
Discover more on europa.eu
Contact the EU
Social media
Legal
EU institutions and bodies