Infosecurity

Lidl Warns Customers After Third-Party Data Breach Exposes Personal Info

Published

on

What Happened: A Breach Via an Outside Vendor

Lidl has started notifying customers across several European countries that their personal information may have been stolen. The incident did not originate inside the supermarket chain itself, but at one of its third-party IT providers.

The company, owned by the German retail conglomerate Schwarz Group, confirmed that shoppers in Germany, Belgium, and the Netherlands are affected. In messages sent to Belgian and Dutch customers, Lidl said it learned of the breach only last week.

“Despite high IT security standards, unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it. The online shop system itself was not affected,” the company explained.

This is not the first time a major European grocer has faced such an issue. Food retailer Ahold Delhaize disclosed a data breach impacting 2.2 million people earlier this year, underscoring the persistent risk in the sector.

What Data Was Stolen — And What Wasn’t

According to Lidl, the compromised file contained records from its online store. The stolen data includes full names, phone numbers, email addresses, dates of birth, and customer numbers.

Critically, the company says that passwords, billing and delivery addresses, bank details, and other payment information were not taken. “Your customer account has not been compromised,” Lidl stated.

Still, the company is not taking any chances. “Although we currently have no concrete evidence of data misuse, we are warning you, as a precaution, against possible phishing or identity theft attempts,” it added.

Lidl said its IT service provider “reacted immediately” to secure the affected systems. Forensics experts have been brought in, and the relevant authorities have been notified.

Why This Breach Matters for Customers

For anyone who shops at Lidl’s online store, the immediate risk is not a drained bank account — it’s a well-crafted phishing email. With names, email addresses, and phone numbers in hand, attackers can impersonate the company convincingly.

“Always verify the sender’s authenticity,” Lidl warned in its notification. “If you notice anything unusual, do not disclose any data or click on any unknown links.”

What security experts recommend

Boris Cipot, principal security engineer at app security firm Black Duck, praised Lidl for its transparency and speed. “That kind of candor presents the appropriate posture under GDPR,” he said.

But he stressed that the real work is just beginning. “The real test now is follow-through: how quickly they complete the forensic investigation, how clearly they communicate updates as the scope becomes known, and how rigorously they reassess the security requirements they place on their service providers going forward.”

Cipot advised affected customers to take immediate steps:

  • Change your passwords out of caution — even if Lidl says accounts weren’t compromised.
  • Enable multi-factor authentication on every account that offers it.
  • Stay on high alert for phishing. “Attackers will absolutely weaponize this stolen data to craft convincing scams in the weeks and months ahead,” he warned.
  • Monitor bank and card statements closely.
  • Consider a credit freeze if you live in a jurisdiction where that’s available.

What Lidl’s Response Says About GDPR Compliance

The General Data Protection Regulation (GDPR) requires companies to notify affected individuals without undue delay when a breach poses a risk to their rights and freedoms. Lidl appears to be following that framework closely — informing customers even before any confirmed misuse of data.

This proactive approach is becoming the standard among responsible retailers. However, the incident also highlights a weak point in many companies’ defenses: third-party vendors. Even if Lidl’s own systems are secure, a vulnerability at a partner can expose customer data just as effectively.

Moving forward, the Schwarz Group will likely face pressure to tighten security requirements for all external IT providers. For now, the priority is completing the forensic investigation and ensuring that the stolen data is not used to defraud customers.

If you’ve shopped at Lidl’s online store in Germany, Belgium, or the Netherlands recently, watch your inbox — and don’t click anything that looks even slightly off.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version