Lidl says attackers stole customer data in Germany, Belgium, and the Netherlands via a third-party provider, raising concerns about phishing and GDPR compliance.