Baltic ferry operator hacked

Viking Line confirms data breach, customer tax-free pre-order records stolen

Nordic Observer · March 11, 2026 at 20:21
  • Stolen data relates to pre-order transactions where passengers book duty-free products before sailing
  • Viking Line operates routes connecting Finland, Sweden, Estonia, and the Åland Islands, meaning affected customers span several jurisdictions
  • The company has not disclosed how many customers are affected or what specific data categories were exposed
  • Under GDPR, Viking Line is required to notify data protection authorities in Finland and Sweden within 72 hours of discovering a breach

Viking Line, the Finnish-Swedish ferry operator carrying millions of passengers annually across the Baltic Sea, has confirmed that customer data from its tax-free pre-order system was stolen in a data breach. Communications director Christa Grönlund confirmed the incident by email, as reported by Iltalehti, stating that the breach specifically concerns so-called pre-order transactions — a service allowing passengers to purchase duty-free goods in advance of their voyage.

What Viking Line has not disclosed is arguably more important than what it has. The company has offered no figure for the number of affected customers, no breakdown of the data categories compromised, and no public statement on whether payment information was among the stolen records. Pre-order systems typically collect names, booking references, email addresses, and in many cases payment details — the precise combination that makes stolen data commercially valuable on criminal markets.

The breach carries cross-border implications. Viking Line operates routes between Finland, Sweden, Estonia, and the autonomous Åland Islands, drawing passengers from across the region. That geographic spread also creates regulatory complexity. Under the EU's General Data Protection Regulation, Viking Line is obligated to notify the relevant supervisory authority — in this case Finland's Data Protection Ombudsman, as the company is headquartered in Mariehamn on Åland — within 72 hours of becoming aware of a breach likely to pose a risk to individuals' rights. If the breach affects data subjects in Sweden and Estonia, those countries' authorities must also be informed. Whether Viking Line has met these obligations remains unclear; the company has not said.

The incident fits a pattern across Nordic transport and logistics firms, which have become frequent targets as they digitise booking, payment, and loyalty systems while often running legacy infrastructure underneath. SAS, Norsk Hydro, and Coop Sweden have all suffered significant cyber incidents in recent years. Ferry operators are particularly exposed: they process high volumes of personal and financial data across multiple jurisdictions, often through third-party booking platforms with their own vulnerability surfaces.

For Viking Line, the reputational stakes are considerable. The company reported revenues of €507 million in 2023 and competes fiercely with Tallink and Silja Line for Baltic market share — a market where customer loyalty programs and pre-order discounts are key differentiators. A breach that makes passengers hesitant to enter card details before boarding hits directly at that business model.

Viking Line's pre-order page, as of publication, remains operational.

Sources: Iltalehti