Lidl Customers in Three Countries Warned After Supplier Breach Exposes Personal Data
The German discount chain says a file at an outside IT provider was raided, spilling names, phone numbers and dates of birth for online shoppers in Germany, Belgium and the Netherlands.

Key points
- Lidl told online shop customers in Germany, Belgium and the Netherlands last week that attackers stole personal data from a file held at an outside IT service provider.
- Confirmed stolen data includes salutation, first and last name, phone number, email address, date of birth and customer number.
- Lidl says it cannot yet rule out that passwords, billing and delivery addresses, bank details or payment information were also taken.
- The supplier has filed a police report and hired forensic investigators, and Lidl has notified the Dutch Data Protection Authority.
- Lidl is warning affected shoppers to expect phishing attempts, meaning fake emails or texts designed to trick them into handing over more information.
Lidl, the discount supermarket chain owned by Germany's Schwarz Group, has told customers that criminals broke into a file at one of its IT suppliers and walked away with their personal details.
The notice went out by email last week. Separate alerts appeared on Lidl's support pages in Belgium and the Netherlands. Germany is also affected.
Schwarz Group is the biggest food retailer in Europe. Lidl alone runs around 12,000 stores and employs more than 376,000 people across Europe and the United States. That scale is why a leak at a single supplier ripples across three countries at once.
What exactly was stolen?
Lidl has confirmed that the attackers took customer records from the online shop, not from stores. According to the company's notice, the file contained each shopper's salutation, first and last name, phone number, email address, date of birth and internal customer number.
In its own words: "Despite high IT security standards, unknown individuals briefly gained access to a separately stored file containing customer data, and part of the data was stolen from it. The online shop's system itself was not affected."
That last line matters. Lidl is saying the shop's live systems, where you log in and pay, were not broken into. The stolen file sat elsewhere, at an outside IT service provider whose name Lidl has not published.
But the company is careful to hedge. It says it cannot yet rule out that passwords, billing and delivery addresses, bank details or other payment information were also caught up in the theft. Investigators are still working out the full scope.
Who is investigating?
The hacked IT supplier has filed a police report and brought in outside forensic experts, the kind of specialists who reconstruct exactly what an intruder touched and copied.
Lidl has also formally notified the Dutch Data Protection Authority, the regulator that enforces the EU's General Data Protection Regulation (GDPR) in the Netherlands. Similar notifications are expected in Germany and Belgium, where their own national data protection regulators have jurisdiction. Under GDPR, companies must report a personal data breach to the relevant regulator within 72 hours of discovery.
The incident was first reported by BleepingComputer. Lidl had not responded to press questions at the time of writing.
Should Lidl shoppers be worried?
Yes, but the risk right now is phishing rather than direct fraud. Criminals holding your name, phone number, email and date of birth can craft very convincing fake messages that look like they come from Lidl, your bank, or a parcel courier.
Lidl put it plainly in its notice: "Be alert for unexpected messages. Always verify the authenticity of the sender. If you notice anything unusual, do not provide any data and do not click on unknown links."
What affected customers should do
If you have a Lidl online shop account in Germany, Belgium or the Netherlands, treat unexpected emails, SMS or WhatsApp messages that mention Lidl, deliveries or refunds with suspicion. Do not click links inside them. Go directly to the Lidl website by typing the address yourself.
Change your Lidl password, and change it anywhere else you reused the same one. Turn on two-factor authentication, an extra login code sent to your phone, wherever your email or bank offers it. Keep an eye on card statements for small unfamiliar charges, a common early sign that stolen data is being tested.



