
Lidl has told online shop customers in Germany, Belgium and the Netherlands that their data was stolen in a breach at an IT service provider, not in its own systems. Names, phone numbers, email addresses, dates of birth and customer numbers were taken; payment data is not yet ruled out. Under GDPR the controller stays accountable for a processor's breach.
Lidl has told online shop customers in Germany, Belgium and the Netherlands that their personal data was stolen in a breach at one of its IT service providers, not in its own systems. The retailer began emailing affected customers on 10 July 2026 and confirmed the incident in notices on its Belgian and Dutch support sites. Names, telephone numbers, email addresses, dates of birth and customer numbers were taken. The lesson: a retailer stays accountable for its customers' data even when the file that leaked sat on a supplier's infrastructure.
What happened
Lidl, owned by Schwarz Group, says unknown individuals briefly accessed a separately stored file containing customer data and stole part of it, according to notices reported by BleepingComputer and Help Net Security. The company stated that its online shop system itself was not affected. The confirmed stolen fields are salutation, first and last name, telephone number, email address, date of birth and customer number. Lidl added that it cannot yet rule out that passwords, billing and delivery addresses, bank details or other payment information were also involved, though it says customer accounts were not affected.
The IT service provider that was breached has filed a police report and engaged forensic investigators, per Lidl's statement. Lidl has notified data protection authorities in the affected countries, including the Dutch Data Protection Authority, and warned customers to watch for phishing that could use the stolen details. The provider has not been named, and the number of affected customers has not been disclosed. The scope beyond the confirmed fields is unconfirmed.
Why it matters for third-party risk
The pattern is data-processor exposure. A processor is a supplier that handles personal data on your behalf, such as a firm that hosts or manages part of an online shop. Under the EU General Data Protection Regulation (GDPR), the company that decides why and how the data is used, the controller, stays responsible for it even when a processor holds the file that leaks. Customers received a notice with Lidl's name on it, not the provider's. The supplier was the weak link, but the accountability, the reporting duty and the reputational cost landed on the brand.
What teams should take from it
Two takeaways. First, map where customer data actually rests, including files a supplier stores separately from your main platform. A breach can bypass a well-defended core system and still expose your customers if a processor holds a copy. Second, set the breach-notification clock with processors in the contract. GDPR gives controllers 72 hours to notify a supervisory authority once aware. If a processor is slow to tell you, your own deadline is already running. A named contact and a fixed notice window turn that from a scramble into a procedure.
For teams weighing this accountability, it is worth reviewing what GDPR expects of a controller when a processor is breached.
FAQ
Was Lidl's own online shop system breached?
Lidl says no. It states the online shop system was not affected and that the data came from a separately stored file held in connection with an IT service provider. Customer accounts were not affected, according to the company.
What data was stolen?
Confirmed: salutation, name, telephone number, email address, date of birth and customer number. Lidl says it cannot yet rule out that passwords, billing and delivery addresses, bank details or other payment information were involved. That wider scope is unconfirmed.
Why is this a GDPR story and not just a vendor problem?
Under GDPR, the controller remains accountable for personal data processed by its suppliers. Lidl carries the notification duty and the reputational exposure even though the breached system belonged to a processor.
Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.


