Lidl confirmed on July 13, 2026, that a breach at a third-party IT service provider exposed personal data belonging to online shop customers in Germany, Belgium, and the Netherlands, according to Lidl. The retailer says its own online shop platform was not touched.
Quick Summary – TLDR:
- Lidl notified customers by email and published breach notices on its Belgian, Dutch, and German support sites after discovering the incident.
- Attackers stole salutation, first and last name, phone number, email address, date of birth, and customer number from a separately stored file.
- Lidl cannot yet rule out that passwords, billing and delivery addresses, bank details, or other payment information were also involved.
- The retailer notified the Dutch and Belgian data protection authorities and engaged outside forensic experts, per Lidl.
- Lidl, owned by Schwarz Group, the largest food retailer in Europe with over 376,000 employees, has not disclosed how many customers are affected.
What Happened?
Lidl discovered the breach last week, and a separate notice described being informed of the incident at the beginning of the week. The intrusion, per Schwarz Group’s own account, did not touch the online shop’s own platform.
Despite high IT security standards, unknown individuals briefly gained access to a separately stored file containing customer data, and part of the data was stolen from it. The online shop’s system itself was not affected, Lidl said in its customer notice.
The distinction matters. This was a breach at the hacked IT service provider, not Lidl’s own online shop systems, which narrows the exposure to whatever that vendor stored on Lidl’s behalf.
Neither the vendor’s name nor the total number of affected customers has been made public. The company has not disclosed how many customers are affected or which IT service provider was compromised.
🚨Cyber Alert ‼️
— Hackmanac (@H4ckmanac) July 13, 2026
🇩🇪🇧🇪🇳🇱 – 𝗟𝗶𝗱𝗹
Lidl disclosed a data breach affecting online shop customers in Germany, Belgium, and the Netherlands after attackers compromised an external IT provider. Stolen data includes customer personal information, while the exposure of passwords and… pic.twitter.com/yFQPTbfUil
What Data Was Exposed, and What Wasn’t?
The confirmed haul is contact and identity data: salutation, first and last name, telephone number, email address, date of birth, and customer number.
TechRadar Pro reported that passwords, addresses, and payment information were not compromised, and customer accounts themselves remaining unaffected.
Why Lidl Emailed Customers Directly?
Under GDPR Article 34, a controller must communicate a personal data breach directly to affected individuals, without undue delay, only when the breach is likely to result in a high risk to their rights and freedoms. The same article exempts the controller from that direct notification duty if it has applied measures such as encryption that render the data unintelligible, or if direct notification would involve disproportionate effort, in which case a public communication is enough.
Lidl did not rely on a public notice alone. It notified customers by email and published breach notices on its Belgian, Dutch, and German support sites, the more demanding, individually addressed route Article 34 reserves for a high-risk assessment, not the lighter public-communication path the regulation permits when a company judges the risk lower.
Separately, a controller must notify the competent supervisory authority within 72 hours of becoming aware of a breach unless it is unlikely to pose a risk at all, the baseline duty Lidl met by notifying the Dutch Data Protection Authority and the Belgian Data Protection Authority. Choosing the direct email route on top of that baseline duty is itself a signal, independent of Lidl’s careful public wording, of how seriously the retailer assessed this breach internally.
Phishing Is the Immediate Risk
Name, email, phone number, and date of birth together are enough for criminals to build highly convincing phishing messages that appear to come from Lidl, including fake order or delivery notifications. The risk is sharper than a generic phishing list suggests: a customer number paired with a date of birth is exactly the “verification” pair a loyalty fraud or account takeover caller uses to sound legitimate on a support line, since it mimics the checks Lidl’s own staff might ask for.
The “your payment data wasn’t touched” framing itself becomes a tool for scammers, who can use that reassurance to talk a worried customer into re-entering card details “just to confirm” they are safe.
Although we currently have no concrete evidence of data misuse, we are warning you as a precaution against possible phishing attempts or identity fraud, the company said, adding: Be alert for unexpected messages. Always verify the authenticity of the sender. If you notice anything unusual, do not provide any data and do not click on unknown links.
Lidl also filed a police report and engaged IT forensic experts to investigate the full scope and impact of the incident. Lidl operates around 12,900 stores across 32 countries in Europe and the United States, making this a cross border notification case rather than a single market incident.
SQ Magazine’s Takeaway
The mechanism here is a vendor breach, not a Lidl platform breach. What sets this incident apart is that Lidl’s own choice of channel says more than its wording does. Emailing customers directly, the route GDPR Article 34 reserves for a high-risk breach, is a stronger signal than the “not compromised” language some coverage repeated.
Anyone who shops Lidl’s online store in Germany, Belgium, or the Netherlands should treat the “payment data is safe” framing with some skepticism until the forensic review closes. Verify the sender on any unexpected Lidl branded email or text before clicking, and never re-enter card details in response to a message referencing this breach, since that is the exact scenario the leaked data now enables. Watch for follow-up notices from the Dutch or Belgian data protection authorities as Lidl’s investigation concludes.