AD

Lidl Hit by Data Leak via IT Supplier: Customer Data Stolen in Several Countries

E-commerce customers affected.

Lidl has confirmed that a data leak at an external IT supplier has affected customers in Germany, the Netherlands and Belgium. According to the company, customers who have used Lidl's e-commerce platform are affected by the incident.

AD

During the intrusion, unknown perpetrators gained access to a separately stored file containing customer data at the supplier. The following data has been stolen:

  • First and last names, and preferred name.
  • Phone numbers and email addresses.
  • Date of birth and customer number.

Lidl states that the company's own e-commerce systems have not been affected. Passwords, payment information, bank details, and invoice and delivery addresses have not been exposed, and customer accounts are considered secure.

Currently, there is no concrete evidence that the stolen information has been misused, but Lidl warns affected customers of an increased risk of phishing and identity theft.

"Fake Delivery Messages"

Emil Olofsson, cybersecurity expert at Integrity360, believes that the stolen information makes it easier for fraudsters.

For customers who may have been affected, the biggest risk now is not the data leak itself, but what happens afterward. Cybercriminals are quick to exploit this type of information to create credible fraud attempts, such as fake delivery messages, offers, or loyalty mailings that look completely genuine, he says.

Olofsson also highlights the challenge of IT security in the supply chain.

When an intrusion occurs via a supplier, it often becomes a security risk from within in practice. The attack on Lidl shows that a company's security is only as strong as the weakest link in the supply chain, which is why supplier risks have become an increasingly important issue for those working with cybersecurity.

The affected IT supplier has filed a police report and engaged technical experts to investigate the extent of the intrusion. Lidl has also informed the relevant data protection authorities about the incident. The company has not disclosed which IT supplier is involved or exactly how many customers have been affected.

AD
Editorial Staff
AD