Lidl discloses online-shop data breach after hackers hit a third-party IT service provider
Lidl notified online-shop customers in Germany, Belgium and the Netherlands that attackers who breached one of its external IT service providers stole a file of personal data including names, contact details and dates of birth, while stressing that payment data, passwords and customer accounts were not affected.
- Victim
- Lidl
On 13 July 2026, Lidl β the German discount supermarket chain owned by the Schwarz Group, Europe's largest food retailer β disclosed that customers of its online shop had been caught up in a data breach at one of its external IT service providers. Attackers were briefly able to reach a separately stored file containing customer data and exfiltrate part of it, prompting the retailer to notify affected shoppers in Germany, Belgium and the Netherlands.
According to Lidl, the stolen file contained customers' salutation, first and last name, telephone number, email address, date of birth and customer number. The company stressed that passwords, billing and delivery addresses, bank details and other payment information were not affected, and that customer accounts and the online shop system itself had not been compromised. Lidl did not publicly name the breached service provider or say how many customers were affected.
Response and risk
Lidl said it identified the incident after being informed by the service provider, engaged outside forensic experts, and notified the relevant European data-protection authorities, including the Dutch regulator. Because the exposed fields β names, contact details and dates of birth β are exactly the sort of information used to make fraudulent messages look convincing, the retailer warned customers to be on guard for phishing attempts that reference Lidl or their order history.
With the compromised file limited to contact-level personal data and Lidl's own systems reported unaffected, the incident was contained at the point of disclosure, though the investigation into the third-party provider and the full scope of the exposure continued.
Timeline
Lidl confirms that a breach at a third-party IT service provider exposed online-shop customer data and begins notifying affected customers in Germany, Belgium and the Netherlands.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/lidl-discloses-online-shop-breach-after-service-provider-hack/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/07/13/lidl-data-breach-customer-data/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/lidl-notifies-customers-of/
- scworld.comhttps://www.scworld.com/brief/lidl-reports-data-breach-affecting-online-customers-in-germany-belgium-and-the-netherlands