Are Travel eSIMs Putting Your Data at Risk? Key Findings From a New Study

Travel eSIMs have become a favored solution for globetrotters seeking seamless connectivity without the hassle of switching physical SIM cards. However, recent research from Northeastern University has shed light on alarming issues that may compromise your privacy and data security. A detailed analysis of 25 popular eSIM providers, such as Airalo, Google Fi, and Holafly, reveals that many of these services route user data through unexpected regions, including China and other countries, exposing travelers to potential surveillance and jurisdictional risks.
Opaque Routing and Privacy Concerns
At the heart of the report is the troubling discovery that user data often exits through third-party countries without the consumer’s knowledge. For instance, researchers found instances where European users’ internet traffic was routed through Asia, potentially bypassing regional privacy laws, such as the General Data Protection Regulation (GDPR) in the EU. This practice exposes travelers to risks of surveillance, data interception, and even legal non-compliance without their informed consent.
This lack of transparency around data routing is particularly concerning. Many eSIM providers fail to disclose where traffic is routed, leaving users unaware of potential privacy breaches. Experts, like telecom analyst Patrick Donegan, argue that this undermines user trust and could contravene international data protection standards. While some providers defend these practices as necessary for operational efficiency, the potential risks to users far outweigh these justifications.
Silent Activities and Security Gaps
Another major concern highlighted by the study involves “silent” network activities by certain eSIM profiles. For example, a profile from eSIM Access was observed connecting to a server in Singapore without any user action, while a Holafly profile retrieved an SMS from a Hong Kong-based number automatically. These actions occur without user consent, raising significant concerns about data leakage and unauthorized usage. Such silent activities could also pave the way for profiling, tracking, or even targeted surveillance.
Furthermore, this functionality opens the door to fraud. In the UK, instances of SIM-swap attacks—a growing form of eSIM-related fraud—saw a significant rise from under 300 cases in 2023 to nearly 3,000 in 2024. Losses from this type of cybercrime are estimated to have crossed £5 million, disproportionately affecting vulnerable groups like elderly users.
The Problem With eSIM Reselling
The research also uncovered the surprisingly low barriers to entry for becoming an eSIM reseller. Platforms like Telnyx and eSIMaccess allow individuals to set up their own shops with minimal requirements, such as a valid email and a payment method. This lack of oversight means resellers can potentially gain access to sensitive user data, including International Mobile Subscriber Identity (IMSI) numbers and device location information accurate to within 800 meters. In some cases, resellers could even send unsolicited SMS messages to users, creating an exploitable fraud vector.
What Does the Future Hold?
As eSIM adoption continues to rise, with an estimated 7 billion eSIM devices projected by 2030, the need for transparency and accountability is crucial. Solutions such as “Country of Residence IP” options, like those implemented by Ubigi, are beginning to address user concerns by allowing travelers to select localized routing paths. In the long term, experts foresee that providers who prioritize transparency around network routing and security measures will gain a competitive edge.
Ultimately, travelers are advised to exercise caution when selecting eSIM services. Pay attention to providers’ policies on data routing and make informed choices about where your traffic will travel. Until stricter regulations and clearer guidelines are enforced, the onus remains on consumers to protect their data while taking advantage of the convenience offered by travel eSIMs.