Lidl has told online shop customers in Germany, Belgium and the Netherlands that attackers stole some of their personal data from an external IT service provider, exposing enough information to make phishing attempts more convincing.
The German discount supermarket chain said the breach did not hit Lidl’s online shopping platform directly. According to customer notifications sent Friday in the three countries, the compromised data sat in a separate customer file held by a third-party provider. Unknown attackers briefly accessed that file and copied part of its contents, Lidl said.
The exposed data includes customers’ titles, first and last names, telephone numbers, email addresses, dates of birth and customer numbers. That is not the sort of dataset that drains a bank account by itself, but it is useful material for criminals trying to impersonate a retailer, personalize scam messages or pressure customers into handing over more sensitive details.
Lidl said it has no indication that passwords, billing addresses, delivery addresses, bank details or other payment information were affected. The company also said customer accounts remain secure.
The retailer said it learned of the incident earlier last week. The unnamed service provider then took steps to secure the affected systems, according to Lidl. The company said it has filed a criminal complaint and notified the relevant data protection authority.
Lidl has not said how many customers were affected. It also has not identified the IT provider, explained how the attackers got access, named any suspected group or said whether ransomware was involved. Those omissions leave customers with the usual breach-notice problem: they know their data is out, but not much about the failure that put it there.
The company said it has not found evidence that the stolen information has been misused. Lidl still warned affected customers to watch for phishing emails and attempted identity theft because the stolen fields could help attackers craft messages that look less random than the usual spam pile.
For customers, the practical risk is follow-on fraud rather than direct account compromise, based on what Lidl has disclosed. An email that uses a real name, customer number or date of birth can feel legitimate, especially if it claims to concern an order, refund or account check. Lidl’s statement that passwords and payment data were not affected narrows the blast radius, but it does not make the copied identity data harmless.
Lidl is part of Germany’s Schwarz Group and is one of Europe’s largest retail chains. The company operates about 12,900 stores in 32 countries and employs around 395,000 people.
This story draws on original reporting from The Record.