Category: Ethics

Eurail breach exposes passport data, fuels dark web identity trade

Eurail breach exposes passport data, fuels dark web identity trade

Eurail breach exposes passport data, fuels dark web identity trade
The fallout from a data breach at Eurail is raising fresh concerns about identity fraud, after stolen personal data from more than 300,000 customers surfaced for sale on the dark web.

The fear and anxiety caused by data breaches is playing out across Europe as reports show the insidious influence of the dark web and its sale of identities. The fallout from a Eurail data breach is rippling out, with the Dutch seller of Interrail passes for train travel across Europe left picking up the pieces.

A vast number of travellers have been affected and many are seeking to replace their passports at their own expense. Problems began with a cyberattack in December, when hackers accessed the personal details of more than 300,000 Eurail customers. The breach was severe in the personal details copied by the attackers.

Personal data such as passport numbers, names, phone numbers, email and home addresses and dates of birth were accessed. But things took a darker turn last week when Eurail confirmed that the stolen data was now being offered on sale on the dark web, with a sample dataset even posted on Telegram.

The revelation caused fear, anger and logistical headaches for many travellers. The Guardian reported a UK traveller being told by the Passport Office to cancel her passport, and who now faces paying more than £100 (US$135.52) for a replacement.

The European Commission undertook an investigation to find out the full scope of the Eurail incident and its potential impact. This was the result of DiscoverEU participants being involved,  a youth scheme for funded travel across Europe, which is financed under the Erasmus+ programme. In January, an update said the European Data Protection Supervisor was notified about the personal data breach in accordance with regulations.

Gerard Tubb, a former journalist from Yorkshire, told The Guardian that the sheer volume of data stolen was enough for someone to convincingly impersonate him. Others have called for collective action to seek compensation under GDPR.

Eurail has urged customers to stay vigilant, update passwords and watch for suspicious messages, insisting it regrets the incident and is working to mitigate the impact. But for many, the apology is not sufficient. They argue that if their data had been properly protected, they wouldn’t now be facing the cost and stress of safeguarding their identities.

Eurail is still notifying affected customers but said that all those whose details appeared in the sample published on Telegram have been notified.

Dark web digital identity calculator puts focus on monetary worth

NordVPN has created a free calculator to determine how much your digital identity may be worth online. Users can input their country of residence, their personal documents and social media accounts, among other criteria. The VPN provider then calculates “your estimated identity value.”

According to NordVPN, dark web listings for identity documents such as passports and driver’s licenses are comparatively rare, with most IDs traded as digital scans. More sophisticated fraudsters may opt to purchase “fullz” — complete identity packages that include personal details like Social Security numbers, with the majority of fullz coming from the U.S. due to years of data breaches, which have driven down prices.

Other analysis has found that widely accessible dark web markets and forums offer low cost ways to assemble packages capable of defeating standard KYC checks. This booming trade in stolen and fabricated identities on the dark web is exposing weaknesses in biometric verification systems.

According to the sweep of more than 75,000 dark web market listings conducted by NordVPN and NordStella, hacked social media accounts retail for around $40 on the dark web. The majority of these are Facebook accounts, which account for up to 40 percent of all stolen accounts sold online. These logins can also allow access to linked Instagram accounts, business pages or advertising tools.

For ecommerce NordVPN found 125 Amazon accounts on sale, with an average price of $77, which was far in front as the leading ecommerce type on sale on the dark web. In second place were Walmart accounts with an average price of $31.82.

The NordVPN research pointed to the emerging threat of identities taken from gaming platforms such as Steam, Roblox and the PlayStation Network (PSN), with the average selling price of a Steam account being $88.75.

“Steam has become something of a gateway for young threat actors,” the report says. “Many known criminals started out reselling accounts in gaming forums before transitioning to more serious cybercrime.”

Financial accounts, perhaps as expected, had high average selling prices. Chase and Bank of America accounts were the leading and second-leading found on sale, with respective average prices of $619 and $417. Wise accounts had the highest average price of $803.

“Every online account you own has a price tag on the dark web,” said Marijus Briedis, chief technology officer at NordVPN. “Your streaming subscriptions, your email, your bank login, your social media profiles.”

“Most people would be shocked at how little it costs a criminal to buy their entire digital identity.”

Armenia approves legal framework for biometric passport and ID rollout

Armenia approves legal framework for biometric passport and ID rollout

Armenia approves legal framework for biometric passport and ID rollout
The Armenian government has approved amendments to a package of laws related to identity documents, creating a unified legislative framework for implementing a biometric passport and ID card system.

The amendments to the law On Identity Documents were approved by the Cabinet of Ministers on Thursday, paving the way for consolidating different regulations on IDs into a single law, according to Minister of Internal Affairs Arpine Sargsyan.​

“There are also plans to legislatively regulate the relationship between the state and the private partner as part of the implementation of the biometric system,” Sargasyan adds.​

Armenia signed a private-public partnership (PPP) agreement with Haypass in April last year to implement the ID document system. Haypass is a consortium established in 2024 between Idemia Identity Security France and ACI Technology S.à.r.l. to develop the biometric ID infrastructure. The planned system includes biometric ID cards designed by IN Groupe for foreigners, stateless individuals and permanent residents. IN Groupe acquired the Idemia Smart Identity division last year.

Issuance is scheduled to begin in the second half of 2026.​

The newly adopted amendments also bring other changes, including making ID cards mandatory for Armenian citizens aged 16 or older. All documents for foreigners, refugees and stateless persons will also become biometric.

An ID card will also be required to obtain a biometric passport, according to Sargasyan. The country plans to bring all travel documents into compliance with ICAO Standard 9303, she adds.​

The country is implementing new biometric documents as part of the Visa Liberalization Action Plan with the EU, which requires reforms in document security, migration management, and other areas to secure visa-free travel to the Schengen area.

​The new documents will also enable greater digitalization and encourage the use of digital services, according to the Armenian government.

Australian regulators come together on privacy, online safety

Australian regulators come together on privacy, online safety

Australian regulators come together on privacy, online safety
The relationship between various regulatory bodies across the privacy and online safety spectrum can be difficult to parse. Australia’s two major digital regulators, eSafety and the Office of the Australian Information Commissioner (OAIC), are simplifying things by signing a memorandum of understanding (MoU) on working together to protect privacy and safety online.

The MoU aims to “guide and facilitate the parties’ collaboration, cooperation and mutual assistance in the performance of their respective statutory functions, and provide transparency about the parties’ efforts to coordinate activities and minimize duplication.” Under the terms, the parties will designate liaison contact officers to facilitate communication and exchange of information.

Generally, the document is a promise to work together in harmony on issues pertaining to the Privacy Act, the Online Safety Act, and the topics they address – including biometric data collection and age assurance requirements under the Social Media Minimum Age obligation.

“Both regulators have always recognized that combating certain harms requires privacy and safety to go hand in hand,” says esSafety Commissioner Julie Inman Grant. “For example, at eSafety we knew from the outset our implementation of the Social Media Minimum Age would need to recognize important rights, including the right to privacy. Our commitment to continue working collaboratively with the OAIC gives formal recognition to that principle and sets out how we will balance and promote privacy and safety for everyone.”

Inman Grant says the collaboration is timely, given new risks emerging with large language models (LLMs) and other AI technologies.

Australian Information Commissioner Elizabeth Tydd says that, with the MoU, “we’re not only formalizing cooperation, but building a foundation where privacy protections and online safety initiatives can better address specific harms side by side, ensuring Australians can be protected when interacting online.”

Four gaming platforms get transparency notices from eSafety

High on the list of issues for the newly-paired agencies to address is the problem of grooming, sexual exploitation and radicalization on online gaming platforms. A release from eSafety says it has handed “legally enforceable transparency notices” to Roblox, Minecraft, Fortnite and Steam, “amid concerns online games are being used by sexual predators to groom children and by extremist groups to spread violent propaganda and radicalize young people.”

Most Australian kids use one or more of these platforms. According to research by eSafety, around 9 in 10 children aged 8 to 17 in Australia play or have played online games. As such, the commissioner wants to know what these platforms are doing to identify and prevent harms, and asks how their systems, staffing and design choices are aligned with the Australian Government’s Basic Online Safety Expectations.

“Gaming platforms are amongst the online spaces most heavily used by Australian children, functioning not only as places to play, but also as places to socialize and communicate,” says eSafety head Julie Inman Grant. “Predatory adults know this and target children through grooming or embedding terrorist and violent extremist narratives in gameplay, increasing the risks of contact offending, radicalization and other off-platform harms.”

Because these platforms allow users to craft and share their own games, content can be created to normalize atrocities: for instance, gamifying the operation of a concentration camp, or the January 6 Capitol Building riot in the U.S.

“We’ve seen numerous media reports about grooming taking place on all four of these platforms as well as terrorist and violent extremist-themed gameplay. This includes Islamic State-inspired games and recreations of mass shootings on Roblox, as well as far right groups recreating fascist imagery in Minecraft.”

“These companies must take meaningful steps to prevent their services becoming onramps to abuse, extremist violence, radicalization or lifelong harm.” Per the release, a breach of a direction to comply with a code or standard can result in penalties of up to $49.5 million (roughly US$35.5 million) per breach, and failing to respond to a transparency reporting notice can lead to penalties of up to $825,000 (about US$590,000) a day.

Of the four platforms in eSafety’s sights, Roblox has gotten the worst press and the most legal scrutiny. This week, it agreed to pay a combined US$35.8 million to settle child online safety cases with the attorneys general of Nevada, Alabama and West Virginia.

It also has Australia’s attention. Under the Online Safety Codes and Standards, Roblox “committed to make a number of key changes earlier this year to protect children including more stringent age assurance, making accounts belonging to under 16s private by default, and introducing tools to prevent adult users from contacting under 16s without parental consent.” Testing on the implementation of these commitments will “validate their effectiveness.”

Canadian government worried Roblox is radicalizing youth 

Roblox recently launched new age-tiered accounts, and has regularly pledged to be a leader on online safety. Despite its efforts, concerns continue to rise over how adults are using gaming sites to lure children. The Logic has a report on a Public Safety Canada brief obtained through a freedom of information request, which singles out Roblox for being “of particular relevance as an entry point where vulnerable children and youth are targeted by malicious actors.”

Its unique combination of social interaction, user generated content and young user base mean “Roblox may impact youth radicalization in unexpected ways.”

Canada is considering a social media age restriction and attendant age verification rules similar to Australia’s. Culture Minister Marc Miller, who is expected to table online safety legislation this year, says “the gaming industry is different than other platforms, and the more that they become sort of social media-ish, the more they expose themselves to responsibility and potentially regulation.”