Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach

Pierluigi Paganini July 13, 2026

Lidl disclosed a third-party data breach affecting online shop customers in Germany, Belgium, and the Netherlands. Payment data was not exposed.

Lidl contacted customers of its online shop in Germany, Belgium, and the Netherlands last week to inform them that their personal data had been stolen in an attack on an external IT service provider. The discount chain, owned by Schwarz Group, published separate notifications on its customer service websites in Belgium and the Netherlands.

The breach was discovered at the beginning of last week. The stolen data covers salutation, first and last name, phone number, email address, date of birth, and customer number for anyone who used Lidl’s online shop.

“We are contacting you because, as a Lidl online shop customer, we wanted to inform you of an IT security incident that occurred at one of our service providers. This incident affects some of your data held by Lidl. We were informed of this incident earlier this week. Despite high IT security standards, unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it. The online shop system itself was not affected.” reads the Belgian notification (translated). “The stolen data includes customer information from our online shop customers (title, first and last name, phone number, email address, date of birth, customer number).”

The Belgian notice also explicitly ruled out that passwords, billing and delivery addresses, bank details, or other payment information were involved, and confirmed that customer accounts were not compromised.

The Netherlands notification covered the same incident and was equally specific.

“Unknown individuals have, despite high IT security standards, briefly gained access to a separately stored file containing customer data, and part of the data has been stolen from it.” reads the Netherlands notification “The online shop’s system itself was not affected.”

The Dutch notification confirmed that Lidl has informed the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, and that the compromised IT service provider filed a police report and immediately brought in forensic IT experts to investigate the full scope of the incident.

The company pointed out that there’s currently no concrete evidence of data misuse. That’s standard phrasing in breach notices and doesn’t mean misuse won’t happen. The stolen combination of name, email address, phone number, and date of birth is precisely what someone needs to build a convincing phishing message or impersonation attempt. Anyone who received Lidl’s notification should treat unexpected contact claiming to be from Lidl with extra caution, verify the sender before clicking anything, and report anything suspicious to [email protected] or [email protected].

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)



you might also like

leave a comment