Lidl has confirmed that a cyberattack on one of its third-party IT service providers exposed the personal data of online shop customers in Germany, Belgium and the Netherlands, the latest in a string of supply-chain breaches to hit major European retailers this year.
The discount supermarket chain, owned by Schwarz Group, said it was informed of the incident last week and moved to notify affected customers by email, as well as to publish breach notices on its German, Belgian and Dutch support websites. In its statement, Lidl said unknown individuals had briefly gained access to “a separately stored file containing customer data” and stolen part of it, stressing that “the online shop system itself was not affected.”
The incident is a reminder of how much of a retailer’s exposure now sits outside its own walls. Boris Cipot, principal security engineer at Black Duck, said, “This incident is a textbook reminder that your security posture is only as strong as your weakest third party. Even when a retailer’s own systems hold, a compromised service provider can expose millions of customers to identity fraud, phishing, and account takeover attacks. Personal data like names, birthdates, phone numbers, and email addresses may seem low risk in isolation, but combined they become a powerful toolkit for social engineering. Additionally, the downstream costs to consumers and brand trust can far outlast the incident itself.”
According to the company, the compromised data includes customers’ salutation, first and last name, phone number, email address, date of birth, and customer number. Lidl said it currently has no evidence that passwords, billing or delivery addresses, bank details or other payment information were affected, and that customer accounts themselves had not been compromised. The retailer added that the affected IT service provider responded immediately and took steps to restore full security to its systems.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, argued the nature of the stolen data limits the immediate danger, though phishing remains a real risk: “Although the breach is unfortunate, the compromised data doesn’t pose a direct threat to victims’ money or identities. It doesn’t contain credit cards or Social Security numbers, for example. Scammers could use the data to launch tailored phishing attacks and other scams, so be on the lookout for malicious emails and text messages. Scammers might pose as Lidl or a related company to trick victims into clicking malicious links.”
Cipot was more measured about how the company has handled disclosure so far, while cautioning that the real test is still to come: “Lidl deserves credit for moving quickly to notify customers and being transparent about what they don’t yet know, including the possibility that passwords, addresses, and payment data could be involved. That kind of candor presents the appropriate posture under GDPR. The real test now is follow-through: how quickly they complete the forensic investigation, how clearly they communicate updates as the scope becomes known, and how rigorously they reassess the security requirements they place on their service providers going forward.”
Lidl has filed a police report, engaged external IT forensic experts to investigate the scope of the incident, and notified the relevant data protection authorities, including the Dutch and Belgian Data Protection Authorities. The company has not named the compromised service provider or disclosed how many customers were affected. As of writing, no threat actor has publicly claimed responsibility.
Lidl, Europe’s largest food retailer, operates around 12,900 stores across 32 countries in Europe and the US and employs more than 376,000 people. The breach adds it to a growing list of retailers hit by supply-chain and third-party attacks over the past year, including Marks & Spencer, Co-op, Louis Vuitton, Pandora and Harrods, several of which have been linked to the Scattered Spider hacking group. Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, said the pattern has become too consistent to ignore: “Another major retailer, another third-party service provider breach. The pattern is consistent enough now that it needs calling out clearly; one of the weakest points in most organisations’ security posture isn’t their own systems, it’s the extended ecosystem of service providers that touch customer data peripherally.”
Lidl has urged customers to be alert for phishing attempts, telling them to verify the authenticity of any sender before disclosing information or clicking links, and to watch out for messages referencing their Lidl account or recent orders. Patel echoed that advice directly to anyone who has shopped with the retailer online: “If you’ve shopped on Lidl’s online store in Germany, Belgium, or the Netherlands, treat this as a prompt to act. Change your Lidl account password immediately, and if you’ve used the same password anywhere else, change it there too. Password reuse remains the single most effective way attackers turn one breach into multiple account compromises. If you receive any communication claiming to be from Lidl asking you to verify details or click a link, contact Lidl directly through their official website rather than responding.”
Cipot offered similar guidance, with a reminder that stolen data of this kind tends to resurface in scams long after the headlines fade: “Customers should treat this as a wake-up call, not just a notification. Change your Lidl password immediately (and any password reused elsewhere), enable multi-factor authentication wherever it’s offered, and be on high alert for phishing emails, texts, or calls that reference your Lidl account or recent orders. Attackers will absolutely weaponize this stolen data to craft convincing scams in the weeks and months ahead. Monitor your bank and card statements closely and consider a credit freeze if you’re in a jurisdiction where that’s available.”




