"Despite high IT security standards, unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it," Lidl warned, in a notice to customers in Belgium and the Netherlands.
Who was affected: Lidl online customers in Germany, Belgium and the Netherlands
The supermarket chain Lidl — owned by the Schwarz Group — notified that customers of its online store in Germany, Belgium and the Netherlands were impacted after customer information was taken from a third-party IT provider. Lidl told Belgian and Dutch customers it discovered the incident "last week." The company emphasized that "the online shop system itself was not affected."
What data was taken — and what Lidl says was not exposed
- Stolen: "full names, phone numbers, email addresses, dates of birth and customer numbers."
- Ruled out: "At this time, we can rule out the possibility that passwords, billing and delivery addresses, bank details, or other payment information are affected."
- Account status: "Your customer account has not been compromised."
- Current risk: Lidl added that while there is "no concrete evidence of data misuse," it is warning customers "as a precaution, against possible phishing or identity theft attempts."
How the incident unfolded and the immediate technical response
Lidl described the data loss as the result of unauthorized access to a file stored separately by its IT service provider. The provider, Lidl said, "reacted immediately" to restore security on the impacted systems and engaged forensic experts to investigate the breach further. Lidl also stated that "the relevant authorities have also been contacted."
Advice issued by Lidl and commentary from Black Duck's Boris Cipot
Lidl's customer advisory urged recipients to exercise caution: "Always verify the sender's authenticity. If you notice anything unusual, do not disclose any data or click on any unknown links." The company framed the notice as a precautionary step to warn users against phishing or identity-theft attempts that may follow.
Boris Cipot, principal security engineer at app security firm Black Duck, publicly praised Lidl's handling. "That kind of candor presents the appropriate posture under GDPR," he said, calling Lidl's response "speedy" and "transparent." Cipot also set out a practical yardstick for the weeks ahead: "The real test now is follow-through: how quickly they complete the forensic investigation, how clearly they communicate updates as the scope becomes known, and how rigorously they reassess the security requirements they place on their service providers going forward."
Cipot offered precautionary steps for affected customers, urging them to change passwords out of caution, enable multi-factor authentication where offered, and remain "on high alert." He warned that "attackers will absolutely weaponize this stolen data to craft convincing scams in the weeks and months ahead," and recommended monitoring bank and card statements closely and to "consider a credit freeze if you're in a jurisdiction where that's available."
What this means for customers, security teams, and regulators
- Customers: Follow Lidl's warnings against clicking unknown links or disclosing data, consider the password and multi-factor authentication steps Cipot recommends, and monitor financial statements for signs of fraud.
- Security teams and procurement leaders: Expect scrutiny on service-provider controls. Lidl's note that the file was "separately stored" and the provider has engaged forensics highlights the need to review how third-party systems are segmented and secured and to document remediation and communications plans.
- Regulators and investigators: Lidl confirmed that "the relevant authorities have also been contacted," and outside forensic teams have been engaged — the forensic findings and any regulatory notifications or follow-ups will be the concrete outputs to watch.
The immediate facts are narrow but concrete: a third-party IT provider's file was accessed briefly, shopper contact and identity fields were taken, Lidl says payment and account credentials were not compromised, and forensics and authorities have been engaged. The next observable milestones will be the forensic report and any further communications from Lidl or the investigating authorities that clarify scope and show whether the stolen data has been misused.
Original reporting: Infosecurity Magazine — Lidl Notifies Customers of Third-Party Data Breach




