Eurail breach exposes passport data, fuels dark web identity trade

The fallout from a data breach at Eurail is raising fresh concerns about identity fraud, after stolen personal data from more than 300,000 customers surfaced for sale on the dark web.

The fear and anxiety caused by data breaches is playing out across Europe as reports show the insidious influence of the dark web and its sale of identities. The fallout from a Eurail data breach is rippling out, with the Dutch seller of Interrail passes for train travel across Europe left picking up the pieces.

A vast number of travellers have been affected and many are seeking to replace their passports at their own expense. Problems began with a cyberattack in December, when hackers accessed the personal details of more than 300,000 Eurail customers. The breach was severe in the personal details copied by the attackers.

Personal data such as passport numbers, names, phone numbers, email and home addresses and dates of birth were accessed. But things took a darker turn last week when Eurail confirmed that the stolen data was now being offered on sale on the dark web, with a sample dataset even posted on Telegram.

The revelation caused fear, anger and logistical headaches for many travellers. The Guardian reported a UK traveller being told by the Passport Office to cancel her passport, and who now faces paying more than £100 (US$135.52) for a replacement.

The European Commission undertook an investigation to find out the full scope of the Eurail incident and its potential impact. This was the result of DiscoverEU participants being involved,  a youth scheme for funded travel across Europe, which is financed under the Erasmus+ programme. In January, an update said the European Data Protection Supervisor was notified about the personal data breach in accordance with regulations.

Gerard Tubb, a former journalist from Yorkshire, told The Guardian that the sheer volume of data stolen was enough for someone to convincingly impersonate him. Others have called for collective action to seek compensation under GDPR.

Eurail has urged customers to stay vigilant, update passwords and watch for suspicious messages, insisting it regrets the incident and is working to mitigate the impact. But for many, the apology is not sufficient. They argue that if their data had been properly protected, they wouldn’t now be facing the cost and stress of safeguarding their identities.

Eurail is still notifying affected customers but said that all those whose details appeared in the sample published on Telegram have been notified.

Dark web digital identity calculator puts focus on monetary worth

NordVPN has created a free calculator to determine how much your digital identity may be worth online. Users can input their country of residence, their personal documents and social media accounts, among other criteria. The VPN provider then calculates “your estimated identity value.”

According to NordVPN, dark web listings for identity documents such as passports and driver’s licenses are comparatively rare, with most IDs traded as digital scans. More sophisticated fraudsters may opt to purchase “fullz” — complete identity packages that include personal details like Social Security numbers, with the majority of fullz coming from the U.S. due to years of data breaches, which have driven down prices.

Other analysis has found that widely accessible dark web markets and forums offer low cost ways to assemble packages capable of defeating standard KYC checks. This booming trade in stolen and fabricated identities on the dark web is exposing weaknesses in biometric verification systems.

According to the sweep of more than 75,000 dark web market listings conducted by NordVPN and NordStella, hacked social media accounts retail for around $40 on the dark web. The majority of these are Facebook accounts, which account for up to 40 percent of all stolen accounts sold online. These logins can also allow access to linked Instagram accounts, business pages or advertising tools.

For ecommerce NordVPN found 125 Amazon accounts on sale, with an average price of $77, which was far in front as the leading ecommerce type on sale on the dark web. In second place were Walmart accounts with an average price of $31.82.

The NordVPN research pointed to the emerging threat of identities taken from gaming platforms such as Steam, Roblox and the PlayStation Network (PSN), with the average selling price of a Steam account being $88.75.

“Steam has become something of a gateway for young threat actors,” the report says. “Many known criminals started out reselling accounts in gaming forums before transitioning to more serious cybercrime.”

Financial accounts, perhaps as expected, had high average selling prices. Chase and Bank of America accounts were the leading and second-leading found on sale, with respective average prices of $619 and $417. Wise accounts had the highest average price of $803.

“Every online account you own has a price tag on the dark web,” said Marijus Briedis, chief technology officer at NordVPN. “Your streaming subscriptions, your email, your bank login, your social media profiles.”

“Most people would be shocked at how little it costs a criminal to buy their entire digital identity.”

Article Topics

data privacy  |  digital identity  |  identity document  |  identity theft