Lidl and EY both disclosed third-party support and service-provider data breaches
Lidl notified customers in Germany, Belgium, and the Netherlands that a breach at an external IT service provider exposed customer data stored in a separate file. The retailer said the incident did not affect its shopping platform or payment systems, but attackers were able to briefly access and steal some of the stored records. In a separate incident, Ernst & Young disclosed a breach involving a third-party support ticket system that contained client documents and tax-related information. Both cases highlight how vendors and service providers can become the weakest link even when the primary company has strong internal controls. This matters because the exposed information can still be used for phishing, fraud, or follow-on social engineering even without payment card data. The incidents reinforce the need to track third-party exposure as part of core security governance, not just procurement paperwork.
Sources
- Hackers breach Lidl’s IT service provider, steal customer data — Help Net Security
- Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach — Security Affairs
- Hackers steal Lidl customer data from external service provider — The Record — Cybercrime
- Ernst & Young (EY) Investigates Data Breach Involving Third-Party Support Tickets — Security Affairs


Leave a Reply