Home / The Long Read / Research
Long Read

Lidl online shop data breach started at an IT service provider, not the retailer's own systems

Lidl has told online shop customers in Germany, Belgium and the Netherlands that their data was stolen in a breach at an IT service provider, not in its own systems. Names, phone numbers, email addresses, dates of birth and customer numbers were taken; payment data is not yet ruled out. Under GDPR the controller stays accountable for a processor's breach.

Lidl online shop data breach started at an IT service provider, not the retailer's own systems
TL;DR

Lidl has told online shop customers in Germany, Belgium and the Netherlands that their data was stolen in a breach at an IT service provider, not in its own systems. Names, phone numbers, email addresses, dates of birth and customer numbers were taken; payment data is not yet ruled out. Under GDPR the controller stays accountable for a processor's breach.

Lidl has told online shop customers in Germany, Belgium and the Netherlands that their personal data was stolen in a breach at one of its IT service providers, not in its own systems. The retailer began emailing affected customers on 10 July 2026 and confirmed the incident in notices on its Belgian and Dutch support sites. Names, telephone numbers, email addresses, dates of birth and customer numbers were taken. The lesson: a retailer stays accountable for its customers' data even when the file that leaked sat on a supplier's infrastructure.

Lidl online shop breach (July 2026): the leak came from a supplier Attackers reached a separately stored customer file at an IT service provider, not Lidl's online shop system. Attacker briefly accessed and stole part of a data file IT service provider held a separately stored file of Lidl online shop customers Confirmed stolen: name, telephone, email date of birth, customer number passwords / payment data: not ruled out Downstream exposure Customers in Germany, Belgium, the Netherlands (phishing risk) Lidl brand and customer trust GDPR notification duty (controller) A processor can hold your data without touching your core systems. What Lidl stated (July 2026): online shop system not affected; provider filed a police report; data protection authorities notified. Third-party risk, in one line: The controller stays accountable for customer data even when the breached file sat on a supplier's systems. Sources: Lidl customer notices, BleepingComputer, Help Net Security. Draft diagram for Breach Wire, Supplier Shield.

What happened

Lidl, owned by Schwarz Group, says unknown individuals briefly accessed a separately stored file containing customer data and stole part of it, according to notices reported by BleepingComputer and Help Net Security. The company stated that its online shop system itself was not affected. The confirmed stolen fields are salutation, first and last name, telephone number, email address, date of birth and customer number. Lidl added that it cannot yet rule out that passwords, billing and delivery addresses, bank details or other payment information were also involved, though it says customer accounts were not affected.

The IT service provider that was breached has filed a police report and engaged forensic investigators, per Lidl's statement. Lidl has notified data protection authorities in the affected countries, including the Dutch Data Protection Authority, and warned customers to watch for phishing that could use the stolen details. The provider has not been named, and the number of affected customers has not been disclosed. The scope beyond the confirmed fields is unconfirmed.

Why it matters for third-party risk

The pattern is data-processor exposure. A processor is a supplier that handles personal data on your behalf, such as a firm that hosts or manages part of an online shop. Under the EU General Data Protection Regulation (GDPR), the company that decides why and how the data is used, the controller, stays responsible for it even when a processor holds the file that leaks. Customers received a notice with Lidl's name on it, not the provider's. The supplier was the weak link, but the accountability, the reporting duty and the reputational cost landed on the brand.

What teams should take from it

Two takeaways. First, map where customer data actually rests, including files a supplier stores separately from your main platform. A breach can bypass a well-defended core system and still expose your customers if a processor holds a copy. Second, set the breach-notification clock with processors in the contract. GDPR gives controllers 72 hours to notify a supervisory authority once aware. If a processor is slow to tell you, your own deadline is already running. A named contact and a fixed notice window turn that from a scramble into a procedure.

For teams weighing this accountability, it is worth reviewing what GDPR expects of a controller when a processor is breached.

FAQ

Was Lidl's own online shop system breached?

Lidl says no. It states the online shop system was not affected and that the data came from a separately stored file held in connection with an IT service provider. Customer accounts were not affected, according to the company.

What data was stolen?

Confirmed: salutation, name, telephone number, email address, date of birth and customer number. Lidl says it cannot yet rule out that passwords, billing and delivery addresses, bank details or other payment information were involved. That wider scope is unconfirmed.

Why is this a GDPR story and not just a vendor problem?

Under GDPR, the controller remains accountable for personal data processed by its suppliers. Lidl carries the notification duty and the reputational exposure even though the breached system belonged to a processor.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

SonicWall SMA 1000 zero-days under active attack: the remote-access appliance became the way in

SonicWall SMA 1000 zero-days under active attack: the remote-access appliance became the way in

On 14 July 2026 SonicWall confirmed two actively exploited zero-days in its Secure Mobile Access (SMA) 1000 Series remote-access appliances and released fixed firmware. The pattern is concentration risk at the network edge: a widely used SSL VPN gateway sits in front of internal systems, so its compromise reaches everyone behind it, including the clients of managed providers that run one.

Read article
Jscrambler's own npm package was hijacked: a trusted supplier became a supply-chain vector

Jscrambler's own npm package was hijacked: a trusted supplier became a supply-chain vector

An attacker hijacked Jscrambler's npm package with a stolen publishing credential and shipped an infostealer to developers between 11 and 13 July 2026. The malware harvested cloud tokens, wallets and AI-assistant credentials from any machine that installed it. For third-party risk teams, the lesson is that a trusted dependency is a supplier, and its release channel can become the attack path.

Read article
Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime

Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime

On 10 July 2026 Progress Software told ShareFile customers running Storage Zone Controllers to shut down the hosting Windows servers over a credible external threat. No patch, no CVE, and cloud access to affected accounts disabled. The pattern is concentration risk: one widely used file-sharing supplier is a single point of exposure, and its emergency is inherited by everyone downstream, including firms that only touch it through a vendor.

Read article