Ransomware Hits Naval Contractor, Lidl Discloses Data Breach, and Iran Tracks US Military Phones
A week of scattered but serious disclosures: a defence shipbuilder confirms a ransomware attack, a major supermarket chain notifies customers of stolen data, and new evidence suggests Iranian operatives tracked phones belonging to US military personnel.

Key points
- Ransomware, which is malicious software that locks a company's files until a payment is made, struck TKMS, a German naval defence contractor that builds submarines for NATO member states.
- Lidl, the international supermarket chain, disclosed a data breach affecting an unspecified number of customers.
- Evidence emerged that Iranian operatives tracked mobile phones belonging to US military personnel, raising counterintelligence concerns.
- A coordinated vulnerability disclosure blueprint, meaning a set of rules for how researchers should responsibly report security flaws to vendors, was published to help standardise industry practice.
Three stories surfaced last week that each deserve a closer read than their brief mentions suggest. SecurityWeek flagged them in a roundup, but the regulatory and disclosure angles run deeper.
Should ordinary people be worried about any of this?
If you shopped at Lidl and stored your details in their app or loyalty programme, yes, pay attention. Lidl has not yet published a full breakdown of what categories of personal data were taken, which matters because different data carries different risk. Email addresses alone are nuisance-level. Payment details or identity documents are a different matter entirely. Until Lidl publishes specifics, treat any unexpected email claiming to be from Lidl as suspicious, and consider changing your account password now.
The TKMS ransomware attack sits in a different category. TKMS builds submarines and surface vessels for several European navies. The company has not confirmed whether operational or classified data was accessed, only that systems were affected. Ransomware gangs routinely steal files before locking them, using the threat of publication as a second lever for payment. If sensitive naval specifications were taken, the disclosure obligations under Germany's BSI-Gesetz, the federal law governing critical infrastructure security, and potentially under the European Union's NIS2 Directive (which requires operators of essential services to notify authorities within 24 hours of becoming aware of a significant incident, under Article 23), come into sharp focus.
The Iran-and-military-phones story carries its own disclosure wrinkle. The precise mechanism reported involves tracking infrastructure linked to Iranian state actors. Whether any US government agency faced a formal notification obligation depends on how the devices were classified and whether they touched government networks. That question remains open.
For ordinary readers, the practical lesson from all three stories is the same. Reuse a password across accounts and one breach hands criminals a key to several doors. Use a different password for every account. A free password manager handles the memory work.
The coordinated vulnerability disclosure blueprint published this week is a quieter but genuinely useful development. It gives security researchers and companies a shared playbook for reporting flaws without the researcher facing legal threat and without vendors sitting on fixes. That process, when it works, keeps the rest of us safer.



