The announcement came in a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018.
The company said credit card numbers, expiration dates, and card verification codes were stolen -- everything needed by a fraudster to carry out unauthorized purchases. The hackers also stole name, gender, delivery and invoicing addresses, phone numbers, email addresses, and in some cases usernames and passwords of customers on the website.
Users should change their passwords. If the same username and password set is used on any other site, they should be changed, too.
Rail Europe said it "replaced and rebuilt" compromised systems from known-to-be safe code. Although the company didn't say how the hackers breached its systems to install the credit card-skimming code, the letter added that passwords were changed and certificates were renewed following the hack.
It's not known how many customers are affected. California data breach law mandates that any breach affecting more than 500 state residents has to publicly list the breach notification with the state attorney general's office.