Decoding the world of cybersecurity

Lidl breach exposes supplier data risk

Lidl customer notices in Belgium and the Netherlands say attackers stole online shop customer data from a separately stored file at an IT service provider.

Lidl breach exposes supplier data risk
Summary
  • Lidl says an IT service provider incident exposed online shop customer data in European markets.
  • The company says passwords, addresses, bank details, payment information, and customer accounts were not affected.
  • The breach reinforces supplier assurance and data minimisation pressures under European privacy and cyber regimes.

Lidl has notified online shop customers in European markets of a data breach involving an IT service provider, after unknown individuals accessed a separately stored file containing customer data.

Customer notices published by Lidl in Belgium and the Netherlands say the online shop system itself was not affected. The stolen data is described as customer information belonging to online shop customers, including salutation, first and last name, telephone number, email address, date of birth, and customer number.

The Dutch notice says Lidl can currently exclude passwords, billing and delivery addresses, bank details, other payment information, and customer accounts from the affected data. The Belgian notice carries the same message in French and Dutch. Lidl says it has no concrete evidence of misuse but is warning customers to be alert to phishing attempts and identity fraud.

The company also says the affected IT service provider took steps to restore the security of the impacted systems, filed a criminal complaint, and engaged IT forensic experts. Lidl says the competent data protection authority was informed. The notices do not name the service provider, the number of affected customers, or the attacker.

The public facts point to a supplier-layer incident rather than a compromise of the customer-facing shop itself. Retailers often separate ecommerce platforms from supporting data, analytics, fulfilment, support, marketing, and service-provider environments. That separation can reduce direct impact on the shop while still leaving customer data exposed elsewhere.

The data categories are also valuable for follow-on attacks. Names, contact details, dates of birth, and customer numbers can be used to make phishing, refund scams, loyalty-account fraud, and impersonation attempts more convincing. The absence of passwords and payment data reduces one class of risk, but it does not remove identity misuse or customer-service abuse.

Large retailers now need to account for how customer data moves beyond the core platform. Supplier due diligence depends on file handling, retention, segmentation, access control, logging, deletion discipline, and whether suppliers are allowed to hold bulk customer files when narrower access would be sufficient.

The European regulatory context adds pressure around notification, proportionality, data minimisation, processor oversight, and security measures. Cyber resilience regimes are also pushing organisations to understand not only their own systems but the third parties that support essential customer and operational functions.

Lidl’s notices suggest the shop itself remained unaffected, while the supplier path still produced personal-data exposure. That is the type of third-party gap that enterprise risk teams, procurement functions, and privacy officers are expected to surface before an incident occurs.

×