Lidl has warned customers in several European countries to beware of phishing messages after revealing that their personal information may have been stolen from a third-party IT provider.
The supermarket giant, owned by German retail conglomerate Schwarz Group, said customers in Germany, Belgium and the Netherlands were impacted by the incident.
In a note to Belgian and Dutch customers, Lidl said it found out about the incident last week.
“Despite high IT security standards, unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it. The online shop system itself was not affected,” it explained.
Read more on retail breaches: Food Retailer Ahold Delhaize Discloses Data Breach Impacting 2.2 Million
Lidl said that customers of its online store were affected, with stolen data including full names, phone numbers, email addresses, dates of birth and customer numbers.
“At this time, we can rule out the possibility that passwords, billing and delivery addresses, bank details, or other payment information are affected,” it continued.
“Your customer account has not been compromised. Although we currently have no concrete evidence of data misuse, we are warning you, as a precaution, against possible phishing or identity theft attempts.”
Lidl said its IT service provider “reacted immediately” to restore the security of the impacted systems and engage forensics experts to investigate further. The relevant authorities have also been contacted.
Customer Vigilance is Required
Lidl warned of potential follow-on phishing attacks from fraudsters who may now be in possession of the stolen data.
“Always verify the sender’s authenticity,” it said. “If you notice anything unusual, do not disclose any data or click on any unknown links.”
Boris Cipot, principal security engineer at app security firm Black Duck, praised Lidl for its speedy response and transparency.
“That kind of candor presents the appropriate posture under GDPR,” he continued.
“The real test now is follow-through: how quickly they complete the forensic investigation, how clearly they communicate updates as the scope becomes known, and how rigorously they reassess the security requirements they place on their service providers going forward.”
Cipot urged customers to change their passwords out of caution, enable multi-factor authentication wherever it’s offered, and be on high alert.
“Attackers will absolutely weaponize this stolen data to craft convincing scams in the weeks and months ahead,” he added. “Monitor your bank and card statements closely, and consider a credit freeze if you’re in a jurisdiction where that’s available.”