"Despite high IT security standards, unknown individuals briefly gained access to a separately stored file containing customer data, and part of the data was stolen from it. The online shop's system itself was not affected," the company said.
Lidl's account of discovery and notification
Lidl, the German discount supermarket chain owned by Schwarz Group, told customers last week that attackers stole personal information in a breach at a service provider that supports its online shop. The company, which the notice said is part of Schwarz Group — the largest food retailer in Europe with over 376,000 employees and some 12,000 stores across Europe and the United States — emailed affected customers and published separate notifications on its support websites in Belgium and the Netherlands.
In its notice Lidl emphasized that the online shop's systems themselves were not affected, but that an externally stored file containing customer data had been accessed briefly and part of the data taken. The company said it discovered the breach last week and has warned customers to be alert for phishing and identity-fraud attempts.
Exactly what data was taken
According to Lidl's notifications, the stolen data contains customer information belonging to online shop customers: salutation, first and last name, telephone number, email address, date of birth, and customer number. Lidl also said it cannot yet rule out whether the breach may involve additional sensitive items tied to affected accounts — specifically naming customers' passwords, billing and delivery addresses, bank details, or other payment information as possibilities under investigation.
The hacked service provider and law enforcement steps
Lidl attributed the intrusion to unknown individuals who gained access to a file held separately by a service provider that supports the retailer's online shop. The hacked IT service provider has filed a police report and engaged IT forensic experts to determine the full scope and impact of the incident, Lidl said. The company did not identify the provider by name in its public messages.
How customers, the Dutch Data Protection Authority, and the service provider are responding
- Customers: Lidl emailed affected shoppers and posted local notices. The company urged those customers to be wary of unexpected messages, to verify the authenticity of senders, not to provide data in response to suspicious contacts, and not to click unknown links.
- Dutch Data Protection Authority: Lidl has notified the Dutch Data Protection Authority of the data breach, according to the company’s notices.
- Service provider and investigators: The service provider reported the incident to police and has brought in IT forensic specialists to investigate and assess the extent of the stolen information.
Public communication and next factual steps
BleepingComputer reached out to Lidl for additional information; a Lidl spokesperson was not immediately available for comment. Lidl’s published notices limit assertions to what its investigation and the service provider have confirmed so far: that a separately stored file was accessed and some data were stolen, and that the online shop systems were not directly compromised.
The immediate next steps Lidl and the service provider have taken are formal notification to affected customers, notification to the Dutch Data Protection Authority, and engagement of IT forensic experts alongside a police report. The central factual question now is whether the forensic work will confirm or rule out the involvement of passwords, billing and delivery addresses, bank details, or other payment information — items Lidl explicitly said it cannot yet exclude from the impact.
Original reporting: https://www.bleepingcomputer.com/news/security/lidl-discloses-online-shop-breach-after-service-provider-hack/




