Thursday, July 16, 2026

Lidl Data Breach: Unauthorized Access to Customer Data

Valyrian News Network 4 min read

Lidl Data Breach: Unauthorized Access to Customer Data

Discount supermarket chain Lidl has confirmed that unauthorized third parties gained access to customer data through a security incident involving one of its IT subcontractors in Belgium. The breach, which affected customers of the Belgian Lidl webshop (lidl.be), exposed personal information including names, telephone numbers, email addresses, dates of birth, and customer numbers.

What Happened

Lidl was informed of the security incident by its IT service provider, who discovered that unidentified individuals had briefly accessed a separately stored file containing customer data and stolen a portion of it. According to RTBF, the company’s IT provider immediately took measures to restore full security of the affected systems.

Speaking to VRT Nieuws, Lidl spokesperson Kim Geirnaert stated: “Despite high IT security standards, unidentified persons briefly gained access to a separately stored file and stole part of it.” The stolen data included first and last names, telephone numbers, email addresses, dates of birth, and customer numbers.

What Was Not Compromised

Crucially, Lidl has emphasized that sensitive financial information remained secure. Passwords, billing addresses, delivery addresses, bank details, and other payment information were not affected. The webshop system itself was not breached, and customer accounts have not been compromised.

“It is important to emphasize that the webshop system was not affected,” Geirnaert told VRT Nieuws. “Passwords, invoice and delivery addresses, bank details or other payment information of our customers were expressly not affected. Customer accounts have not been compromised.”

Response and Investigation

The IT service provider has filed a police complaint and immediately engaged IT forensic experts to investigate the incident. Lidl has directly informed affected customers via email, though the company has not disclosed the exact number of customers impacted.

As reported by NL Times, Lidl has notified both the Belgian Data Protection Authority (APD-GBA) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) of the breach, as required under the General Data Protection Regulation (GDPR). Under GDPR rules, companies must report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the incident.

Customer Advisory

Lidl has stated that it currently has no concrete evidence that the stolen data has been misused. However, as a precautionary measure, affected customers have been warned about potential phishing attempts or identity theft. With email addresses and phone numbers now in the hands of unknown parties, customers are advised to remain vigilant against suspicious communications.

Broader Context

This breach occurs against a backdrop of increasing cyberattacks targeting consumer-facing companies in the Benelux region. In 2025, Orange Belgium suffered a significant data breach affecting 850,000 customers, while Dutch telecom provider Odido experienced a cyberattack in early 2026 that compromised the data of 6.2 million people. The Dutch Data Protection Authority has recently warned that artificial intelligence is increasing the dangers of phishing and cyberattacks.

Implications and Outlook

The incident highlights the growing risks associated with third-party IT subcontractor access to customer data — a supply chain vulnerability that affects companies across all sectors. Lidl could face potential GDPR fines if the investigation determines that inadequate security measures were in place. The Belgian DPA’s 2026-2028 Strategic Plan signals a shift toward “Systemic Impact Enforcement,” which could result in significant penalties designed to set a precedent.

For affected customers, the primary risk remains targeted phishing campaigns using the exposed personal information. Lidl has advised customers to be cautious of unsolicited communications requesting personal or financial details.

As the forensic investigation continues, key questions remain unanswered: the total number of affected customers, the identity of the IT subcontractor involved, and whether any stolen data has appeared on dark web markets. Lidl has not provided a timeline for further updates.