Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
Breach AnalysisBreaking14 July 20264 min read

Lidl Warns Customers After Third-Party IT Provider Breach

Lidl has warned online shoppers in Germany, Belgium and the Netherlands that names, phone numbers, email addresses and dates of birth were stolen from a third-party IT provider. The breach is a fresh reminder that supplier risk is customer risk.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Stylised supermarket receipt dissolving into digital particles with a phishing hook, symbolising the Lidl third-party data breach.

Lidl has told customers across Germany, Belgium and the Netherlands to be on guard against phishing after personal information was stolen from one of its third-party IT providers. The German retail giant, owned by Schwarz Group, said its online shop system itself was not compromised, but a separately stored customer file held by a supplier was accessed and partly exfiltrated by unidentified attackers.

What Happened

According to notifications sent to Belgian and Dutch customers, Lidl became aware of the incident in the week preceding disclosure. The retailer stated that "despite high IT security standards, unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it." The stolen file related to Lidl online store accounts.

The IT service provider responsible for the file reacted immediately to restore the security of the affected systems and engaged forensic experts to investigate. Relevant data protection authorities have also been notified in line with GDPR obligations.

What Data Was Exposed

Lidl confirmed the stolen dataset includes:

  • Full names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Customer numbers

The retailer has ruled out exposure of passwords, billing and delivery addresses, bank details or other payment information. Customer accounts themselves have not been compromised. However, the combination of name, contact details and date of birth is enough to power highly convincing phishing and identity theft attempts.

Why This Matters

This is a supplier-side breach, not a Lidl platform compromise, and that distinction is the whole story. The largest grocery chain in Europe carries out its due diligence, yet a file held by an external processor was still reached by attackers. Every organisation that trusts a supplier with a customer database inherits that supplier's weakest control.

Boris Cipot, principal security engineer at Black Duck, praised the retailer for its speed and candour but noted that the real test is what happens next: how quickly the forensic investigation completes, how clearly Lidl communicates updates, and how rigorously it reassesses the security requirements placed on its service providers going forward.

Under GDPR, retailers remain the data controllers even when the breach happens at a processor. Regulators in Germany, Belgium and the Netherlands will judge Lidl on the strength of its supplier oversight, not on the wording of the contract.

The Offline Alternative

Every third-party breach follows the same pattern. A file has to sit somewhere reachable so that an application, an analyst or an integration can query it, and once it is reachable it is at risk. Firevault takes the opposite approach for the data that never needs to be queried in real time.

Firevault provides Layer 1 physical air gap storage. The vault is only connected to a network during a scheduled, human-authorised window. Outside that window there is no route in, no cable, no session and no credential that can reach the data. A supplier compromise, a stolen token or an exposed API key cannot pull records out of a device that is not on the wire.

For customer archives, backups of production databases, historical order records, KYC evidence and any dataset held for compliance rather than daily operations, physical disconnection removes the class of attack that hit Lidl's supplier. The file cannot leak from a system that cannot be reached.

Key Takeaways

  • Supplier risk is customer risk. Lidl's own platform held. The breach came through a third-party processor, and the retailer still owns the incident under GDPR.
  • Contact details plus date of birth is a phishing kit. Attackers do not need passwords when they have enough context to impersonate a bank, a delivery firm or Lidl itself.
  • Speed and candour matter. Lidl notified affected customers and regulators quickly, which is now the baseline expectation for European retailers.
  • Cold data belongs off the network. Data held for archive or compliance does not need to be online. Air gap storage removes the attack surface that supplier breaches rely on.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Breaking News
Breach Analysis14 July 20264 min read

Lidl Warns Customers After Third-Party IT Provider Breach

Lidl has warned online shoppers in Germany, Belgium and the Netherlands that names, phone numbers, email addresses and dates of birth were stolen from a third-party IT provider. The breach is a fresh reminder that supplier risk is customer risk.

Lidl Warns Customers After Third-Party IT Provider Breach
Mark Fermor
Published by Mark Fermor, Director & Co-Founder