Lidl — the discount supermarket giant owned by Schwarz Group, Europe’s largest food retailer — has told online-shop customers in Germany, Belgium and the Netherlands that their personal data has been stolen. The twist: the breach didn’t happen at Lidl at all, but at one of its third-party IT service providers.
According to Lidl’s customer notifications, unknown attackers briefly accessed a separately stored file of customer data held by the provider and copied part of it. “The online shop’s system itself was not affected,” the company said. The provider has since restored its systems, filed a police report, engaged forensic investigators and notified the relevant data protection authority.
What was taken
The stolen information is contact and identity data: salutation, first and last name, telephone number, email address, date of birth and customer number. Lidl says passwords, billing and delivery addresses, bank details and other payment information were not affected, and that customer accounts themselves remain intact. The number of people affected, and the name of the provider, have not been made public.
Why a “no passwords, no payment data” breach still matters
It’s tempting to file this one under “could have been worse” — and it could have been. But a tidy set of names, emails, phone numbers and dates of birth is exactly what criminals need to build convincing, personalised phishing and identity-theft attempts. A message that greets someone by name, quotes their real customer number and references a shop they actually use is far harder to dismiss than generic spam. The Dutch data protection authority has warned that AI is now making these scams even more realistic and personalised.
The real lesson: your supply chain is your attack surface
This is a textbook third-party, or supply-chain, breach. Lidl points to its own high security standards — and the intrusion still happened, through a supplier that held its data. You can do everything right inside your own four walls and still be exposed by a vendor’s weakness. For most businesses, the data you hand to payroll bureaus, marketing platforms, booking systems and IT providers is now one of your biggest and least-visible risks.
What Greater Manchester businesses should do
- Map your suppliers and your data. Know which third parties hold your data and your customers’ data, and exactly what they hold.
- Put security into your contracts. Require breach-notification timescales, minimum security controls and the right to audit.
- Ask for evidence. Request suppliers’ Cyber Essentials or ISO 27001 certification, recent penetration-test results and their breach history.
- Share less. Only give providers the data they genuinely need, and for no longer than necessary.
- Expect the phishing wave. Warn your team that targeted phishing often follows a breach, and back awareness with phishing-resistant MFA.
- Plan for a supplier breach — not just your own — in your incident-response process.
At Foresight, managing third-party and supply-chain risk is part of how we keep clients secure — from supplier due diligence and Cyber Essentials to security-awareness training, vulnerability management and 24/7 monitoring. If you’re not sure who holds your data or how well it’s protected, get in touch.
Sources: BleepingComputer; Help Net Security.