The list was discovered during a recent review of the SBB’s fare-dodger database by the federal data protection agency, the SonntagsZeitung newspaper reported.
The database contained the names of more than half a million public transport users, the newspaper said.
But around half of this number related to incidents more than two years old, which the SBB by law was not permitted to keep, an official from the data protection agency told the newspaper.
The state-owned railway had previously maintained that it automatically removed names from the list after two years.
In fact, it kept the names much longer, including those who were valid holders of passes who had forgotten them at home when checked.
“The long retention (of names) violates the principle of proportionality and thus goes against the Data Protection Act,” Elaine Schmid, a spokeswoman for the Swiss data protection agency told SonntagsZeitung.
SBB spokesman Stephan Wehrle confirmed to the newspaper that the SBB had never deleted the customer data but he said this was due to a technical computer problem “which, unfortunately was not noticed until late”.
A legal deadline for the deletion of such data after two years was introduced earlier this month.