A security incident involving an external IT service provider has resulted in the exposure of customer data belonging to users of Lidl’s online store.
According to Lidl, unknown attackers gained access to a file containing customer information that was stored by a contracted service provider and copied portions of its contents. The compromised data includes customers’ titles, names, dates of birth, email addresses, phone numbers, and customer IDs. Based on current findings, payment information, passwords, and the Lidl Plus app were not affected.
Although no login credentials or payment data were compromised, Lidl considers the incident significant because the stolen information could be used in highly targeted phishing campaigns. Names, birth dates, and phone numbers allow attackers to craft fraudulent emails that appear far more convincing than generic scam messages. The retailer is therefore urging customers not to open links in unexpected emails or disclose login credentials.
“We were informed about the incident at the beginning of the week. Unauthorized individuals were briefly able to access a segregated file containing customer data and, despite robust IT security measures, managed to steal parts of it. The online shop itself was not affected.”
Lidl, in a customer notification
Breach Originated at External Service Provider
According to the company, the breach did not originate within Lidl’s own IT infrastructure but at an external service provider. This setup is common in e-commerce, where specialized vendors frequently handle functions such as shipping, data processing, and customer communications. As a result, portions of customer data are often processed outside the retailer’s own systems. Regardless of where a breach occurs, however, the retailer remains responsible for notifying affected customers.
Lidl says it has engaged external digital forensics experts to investigate the incident, filed a criminal complaint with law enforcement, and notified the relevant data protection authority. Customer notifications are being sent in phases, and the company has not yet disclosed how many individuals were affected.
Recommendations for Affected Customers
Lidl advises customers to carefully scrutinize any emails claiming to be from the company. If in doubt, users should visit the online store directly by entering the known website address rather than clicking links embedded in emails. The retailer also explicitly warns against entering passwords or payment information on websites accessed through email links. Support requests should be submitted only through official communication channels that customers access independently.
A Recurring Challenge for Online Retailers
Third-party service providers have repeatedly become the source of customer data breaches in the e-commerce sector rather than the retailers’ own platforms. As more business processes are outsourced, customer information is distributed across a growing number of external systems, making it increasingly difficult to enforce consistent security standards throughout the supply chain.
For organizations, this highlights the importance of applying the same contractual and technical controls to service providers as they do within their own infrastructure, including strict access management, comprehensive logging, and oversight of data processing practices.
(lb)