Two major data breaches have simultaneously compromised European travel and Swedish government infrastructure, exposing millions of records and sensitive source code. The Eurail/Interrail breach affected over 300,000 travelers, while a separate attack on CGI Sverige AB leaked the complete source code of Sweden's e-government platform.
The Eurail/Interrail breach, first announced in December 2025 or January 2026, exposed personal information of over 300,000 travelers, according to multiple media reports. Stolen data is being sold on the dark web, with a sample dataset published on Telegram, according to multiple reports. The exposed information includes names, email addresses, passport numbers, contact details, bank account references, and health data, according to multiple reports. Eurail stated that it does not store bank or credit card information, nor visual copies of passports for direct customers. However, DiscoverEU program participants had visual copies of passports stored, according to multiple reports.
Some customers are requesting compensation for passport replacement costs.
Eurail reported to the Oregon Department of Justice that 308,777 travelers were affected, according to multiple reports. The company has secured its systems and is working with cybersecurity specialists, advising customers to remain vigilant for phishing attempts and update passwords, according to multiple reports. Some customers are requesting compensation for passport replacement costs, according to affected customers who spoke to Metro - Main. The Home Office stated that passport holders should decide whether to replace passports after a data breach.
In a separate incident, a threat actor calling itself ByteToBreach claims to have published sensitive information from CGI Sverige AB on the dark web, according to Threat Landscape and Dark Web Informer. According to ByteToBreach, the leak includes the complete source code for critical government services, API documentation, signing systems, and embedded credentials. The actor has made the source code available for free while selling citizen databases and electronic signing documents separately, according to ByteToBreach. ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms, according to Threat Landscape and Dark Web Informer.
Source code for several programs appears to exist, and from what I can see, the hack looks genuine.
CGI Sverige AB is the Swedish subsidiary of CGI Group, a global IT services firm that manages critical digital infrastructure for the Swedish government, according to multiple reports. The leaked data includes source code, passwords, and encryption keys, according to multiple media reports. The exposed code includes core government platforms: Mina Engagemang citizen services, the Signe electronic signature portal, and the Företrädarregister authorization system, according to International Cyber Digest. The leak also contains database passwords, SMTP credentials, keystore files, and embedded Git credentials, according to ByteToBreach. The system is used by Swedish authorities including Skatteverket for Bank-ID login, according to multiple reports.
CGI stated that the breach involved two internal test servers and no production environments are affected, according to multiple reports. However, Dagens Nyheter's review suggests some leaked files may be from production servers, specifically related to MCF's e-services, according to multiple reports. Myndigheten för civilt försvar (MCF) closed its e-services as a direct response to the CGI leak, according to multiple reports. The breach was discovered on March 12, 2026, according to CGI. ByteToBreach documented their attack methodology in the leak release, detailing how they achieved full compromise of CGI Sverige's infrastructure through a Jenkins CI/CD server, according to ByteToBreach. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host via the Jenkins user's Docker group membership, pivoting through SSH private keys, extracting credentials from Java heap dump files, and executing OS commands through SQL copy-to-program pivots, according to ByteToBreach.
This compromise belongs clearly to CGI infrastructure.
ByteToBreach is a relatively new threat actor, commercially motivated, and not state-sponsored, according to cybersecurity experts André Catry and Marcus Murray. This is the same actor behind the Viking Line breach posted one day earlier, suggesting an active campaign against Swedish infrastructure via CGI's managed services footprint, according to multiple reports. ByteToBreach previously leaked data from Viking Line, according to multiple reports. According to ebuildersecurity.com, Swedish IT security expert Anders Nilsson described the hack as genuine, noting that source code for several programs appears to exist.
The full extent of production data compromised in the CGI breach remains unknown. It is unclear whether any Swedish government systems or citizen data are directly impacted by the CGI leak. The number of individuals affected by the CGI breach has not been confirmed. About 96% of Sweden's 10.7 million population used e-government services in 2025, according to Eurostat. Shiny Hunters claims to have obtained 350 GB of data, but this has not been verified. The specific security measures being taken by Swedish authorities in response to the CGI breach have not been detailed. There is no known connection between the Eurail and CGI breaches.