Dentsu, a global advertising and marketing agency, suffered a significant data breach affecting its CX agency, Merkle. The incident involved unauthorized access to files containing sensitive personal and financial data of **current and former employees**, including bank/payroll details, salaries, National Insurance numbers, and contact information. The breach also extended to **LNER (London North Eastern Railway) customer data**, exposing contact details and journey histories, though no payment or password data was compromised. The breach triggered a complaint to the UK’s **Information Commissioner’s Office (ICO)**, with affected ex-employees forming legal groups (one WhatsApp group exceeding 150 members) to pursue collective action. Dentsu acknowledged the leak exceeded legal reporting thresholds and offered affected individuals a year of **Experian Identity Plus** for monitoring. However, frustration persists over delayed notifications, unclear specifics of leaked data, and Dentsu’s retention of records beyond standard HMRC timelines (some ex-employees left over a decade ago). The ICO may impose fines (up to **£8.7M or 2% of global turnover**) if negligence is proven, separate from potential compensation claims.
dentsu cybersecurity rating report: https://www.rankiteo.com/company/dentsu
"id": "DEN0962609112125",
"linkid": "dentsu",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': ['Current/former employees (150+ '
'in one WhatsApp group)',
'Clients',
'Suppliers'],
'industry': 'Marketing & Advertising',
'location': ['United Kingdom', 'Japan (HQ)'],
'name': 'Dentsu (including Merkle CX agency)',
'type': 'Advertising/Media Conglomerate'},
{'customers_affected': 'Unknown (contact details and '
'journey information exposed)',
'industry': 'Transportation',
'location': 'United Kingdom',
'name': 'London North Eastern Railway (LNER)',
'type': 'Train Operator'}],
'customer_advisories': ['Dentsu: Monitor financial statements; offered '
'Experian Identity Plus.',
'LNER: No bank/payment card/password data affected; '
'investigation underway.'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'National Insurance '
'numbers',
'Bank/payroll details',
'Salaries',
'Personal contact '
'details '
'(email/phone/address)'],
'sensitivity_of_data': 'High (includes National Insurance '
'numbers, bank details, salaries)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Financial Data',
'Employment Records',
'Customer Contact Details',
'Journey Information']},
'date_publicly_disclosed': '2023-10-27',
'description': 'Dentsu reported a data breach where files containing personal '
'and financial details of former employees (including '
'bank/payroll details, salary, National Insurance numbers, and '
'contact details) were exfiltrated from Merkle’s network. The '
'breach also impacted LNER customer data, including contact '
'details and journey information. The ICO is investigating, '
'and affected individuals are considering legal action. Dentsu '
'offered credit monitoring services and notified law '
'enforcement.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'legal action and regulatory scrutiny',
'Negative media coverage'],
'customer_complaints': ['Collective legal action being considered '
'by former employees',
'Frustration over lack of follow-up '
'communication',
'Complaints about prolonged data retention '
'(10+ years)'],
'data_compromised': ['Bank/payroll details',
'Salary information',
'National Insurance numbers',
'Personal contact details',
'LNER customer contact details',
'LNER journey information'],
'identity_theft_risk': ['High (due to exposure of National '
'Insurance numbers, bank details, and '
'personal contact information)'],
'legal_liabilities': ['Potential ICO fines (up to £8.7M or 2% of '
'global turnover)',
'Group action claims by former employees',
'Violation of UK GDPR and Data Protection '
'Act 2018 (excessive data retention)'],
'payment_information_risk': ['Exposed for former employees '
'(bank/payroll details)',
'Not affected for LNER customers'],
'systems_affected': ['Merkle’s (Dentsu’s CX agency) network']},
'initial_access_broker': {'high_value_targets': ['Employee PII/financial data',
'Client/supplier data']},
'investigation_status': 'Ongoing (ICO inquiry and internal investigation with '
'cybersecurity firm)',
'post_incident_analysis': {'root_causes': ['Inadequate data retention '
'policies (retained data for 10+ '
'years beyond legal limits)',
'Potential third-party security '
'vulnerabilities (Merkle’s '
'network)']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Improve data retention policies to comply with UK GDPR '
'(max 7 years for HMRC-related records)',
'Enhance transparency in post-breach communication (e.g., '
'clarify which specific data was exposed per individual)',
'Proactively engage with affected parties to mitigate '
'legal risks',
'Review third-party supplier security (LNER breach linked '
'to Dentsu’s systems)'],
'references': [{'source': 'Campaign UK'},
{'source': 'Information Commissioner’s Office (ICO) Statement'},
{'source': 'Withers Law Firm (Jo Sanders, Data/Information '
'Disputes Partner)'}],
'regulatory_compliance': {'legal_actions': ['ICO investigation ongoing',
'Potential group action claims by '
'former employees'],
'regulations_violated': ['UK GDPR',
'Data Protection Act 2018 '
'(excessive data retention '
'beyond 7 years)'],
'regulatory_notifications': ['Reported to ICO '
'(scale exceeded legal '
'threshold)',
'Law enforcement '
'notified']},
'response': {'communication_strategy': ['Initial notification to affected '
'individuals (27 Oct 2023)',
'Encouraged monitoring of financial '
'statements',
'No further updates provided'],
'enhanced_monitoring': ['Fraud monitoring recommended for '
'affected individuals'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Offered Experian Identity Plus (1-year '
'subscription for credit/dark-web '
'monitoring)'],
'third_party_assistance': ['Cybersecurity firm (unnamed)']},
'title': 'Dentsu Data Breach Affecting Former Employees and LNER Customers',
'type': ['Data Breach', 'Unauthorized Access']}