Lidl has notified online shop customers in Germany, Belgium and the Netherlands that their personal data was stolen following a breach at an external IT service provider. The compromised records include customer salutations, first and last names, phone numbers, email addresses, dates of birth and customer numbers. Payment data was not taken. Lidl’s own online shop systems were not directly compromised.
The breach was discovered last week according to Security Affairs and BleepingComputer, both of which reported on Lidl’s customer notifications. Lidl has notified the relevant data protection authorities and advised affected customers to treat unexpected communications with caution.
Lidl has not publicly named the IT service provider involved which makes it impossible to assess how many other retailers or consumer-facing companies used the same vendor and may not yet know they are exposed. That silence is a problem.
What the Attackers Took and What They Did Not
The stolen data was held in a separately stored file at the external provider, not within Lidl’s core retail or payment infrastructure. No card numbers, bank details or account passwords were included in the compromised file. Lidl confirmed that the online shop’s own systems were unaffected.
That framing offers limited comfort. Names, email addresses, dates of birth and phone numbers in a single file is precisely the combination needed to run convincing impersonation attacks. An attacker who knows your name, date of birth and the email address tied to your Lidl account can craft a phishing message that bypasses most spam filters and looks credible to most recipients.
No CVE has been disclosed. The attack vector has not been described in technical terms by Lidl or any named researcher. At this stage, the breach mechanism is unknown.
Third-Party Providers Are the Recurring Weak Point
The Lidl incident follows a pattern that has become the dominant breach model across European retail, a major brand with reasonably mature internal security outsources a data-holding function to a smaller provider and that provider becomes the entry point. The brand takes the reputational hit while the provider remains unnamed.
NIS2 and GDPR both impose supply chain obligations on data controllers but enforcement on third-party vendor security remains inconsistent across member states. Lidl, as the data controller under GDPR, is responsible for the personal data it entrusts to external processors regardless of where the breach occurred. The affected customers are Lidl’s customers, not the unnamed provider’s.
If You Shopped at Lidl Online in Germany, Belgium, or the Netherlands
Lidl has prompted affected customers to verify unexpected communications. Do not wait for a suspicious message to arrive before acting.
- If you used the same password on your Lidl online account as on any other service, change it on those other services now.
- Any email or SMS claiming to be from Lidl, a delivery service or a bank referencing a Lidl order should be treated as a potential phishing attempt until verified through official channels.
- Monitor your email inbox for password reset requests you did not initiate. Attackers who have your email address and date of birth will attempt credential recovery on other platforms.
Lidl has not confirmed whether it will offer identity monitoring services to affected customers. If no such offer has arrived and you want additional protection, Germany’s Verbraucherzentrale and Belgium’s Centre for Cybersecurity Belgium both publish guidance on steps to take following a personal data breach.
References
- Lidl Discloses Online Shop Breach After Service Provider Hack
- Lidl Notified Online Shop Customers in Germany, Belgium and the Netherlands of a Data Breach
- Lidl Reports Data Breach Affecting Online Customers in Germany, Belgium and the Netherlands
- Hackers Breach Lidl’s IT Service Provider, Steal Customer Data
This post is also available in: