Lidl data breach: Supermarket chain warns customers after third-party 'IT incident' exposes customer information – here's what we know so far

The incident, affecting an unnamed service provider, is the latest to affect embattled retailers

Logo of supermarket chain Lidl on a sign outside a branch in London, England.
(Image credit: Getty Images)

Supermarket chain Lidl has urged customers to remain vigilant after a data breach exposed personal information.

In an advisory, the firm revealed the ‘IT incident’ at a third-party service provider has impacted customers in Belgium, Germany, and the Netherlands.

"We were notified of this incident earlier this week," the message reads.

"Despite high IT security standards, unauthorized parties briefly gained access to a separately stored file containing customer data, and some of that data was stolen. The online shop system itself was not affected."

Latest Videos From

The stolen data relates to customers of Lidl's online shop, and includes first and last names, telephone numbers, email addresses, dates of birth, and customer numbers.

Lidl noted that data exposed in the incident does not include passwords, billing and delivery addresses, bank details, or other payment information.

Lidl warns customers over phishing risks

The company said that while it currently has no concrete evidence this data has been misused, customers should remain vigilant for potential phishing attacks or identity theft.

Customers should be wary of unexpected messages, always verify the authenticity of the sender, and avoid providing any information or clicking on unknown links.

Boris Cipo, principal security engineer at Black Duck, said the incident is a “textbook reminder” of the risks posed by third-party vendors.

"Even when a retailer's own systems hold, a compromised service provider can expose millions of customers to identity fraud, phishing, and account takeover attacks," Cipo commented.

"Personal data like names, birthdates, phone numbers, and email addresses may seem low-risk in isolation, but combined they become a powerful toolkit for social engineering. Additionally, the downstream costs to consumers and brand trust can far outlast the incident itself."

Lidl vendor acted swiftly

Lidl said its IT service provider responded immediately to fully restore the security of the affected IT systems, filed a report with the authorities and immediately engaged IT forensic experts to investigate the incident.

The company has also notified the relevant data protection authorities. Cipo commended the supermarket chain for its swift response and up-front communication with affected customers.

"Lidl deserves credit for moving quickly to notify customers and being transparent about what they don't yet know, including the possibility that passwords, addresses, and payment data could be involved. That kind of candor presents the appropriate posture under GDPR," he said.

"The real test now is follow-through: how quickly they complete the forensic investigation, how clearly they communicate updates as the scope becomes known, and how rigorously they reassess the security requirements they place on their service providers going forward."

Lidl, which operates around 12,900 stores across 32 countries in Europe and the US, is just the latest retailer to be hit by a supply chain breach.

In the last year or so, victims have included Marks and Spencer, Co-op, Louis Vuitton, Pandora, and Harrods. Many of these attacks have been linked to the Scattered Spider hacking group.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.