LNER (London North Eastern Railway) experienced a data breach due to unauthorized access to files managed by its third-party supplier, Merkle (a subsidiary of Dentsu). The breach compromised **customer contact details and some journey history**, though no bank, payment card, or password data was exposed. LNER warned customers about potential unsolicited communications and paused some customer communications as a precaution. Meanwhile, Dentsu confirmed that the breach also affected its **current and former employees**, exposing sensitive data such as **bank/payroll details, salaries, National Insurance numbers, and personal contact information**. Dentsu engaged cybersecurity firms and law enforcement, offering affected employees credit and dark-web monitoring services. The incident remains under investigation, with notifications sent to impacted parties in compliance with legal requirements. The breach highlights vulnerabilities in third-party vendor security and the broader risks of supply-chain cyberattacks.
Source: https://www.campaignlive.co.uk/article/dentsu-leak-compromised-lner-customer-data/1939314
London North Eastern Railway cybersecurity rating report: https://www.rankiteo.com/company/london-north-eastern-railway
"id": "lon0893608111125",
"linkid": "london-north-eastern-railway",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Current/former employees and '
'some clients',
'industry': 'Marketing & Advertising',
'location': 'Global (Japanese-owned)',
'name': 'Dentsu (Merkle)',
'type': 'Advertising/Media Network'},
{'customers_affected': 'Undisclosed number (contact '
'details and journey info '
'exposed)',
'industry': 'Transportation',
'location': 'United Kingdom',
'name': 'London North Eastern Railway (LNER)',
'type': 'Railway Operator'}],
'customer_advisories': ['LNER warned customers about phishing risks',
'Confirmed no financial/password data was exposed'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes National Insurance '
'numbers, bank/payroll details, and '
'salary info for Dentsu employees)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial data (Dentsu '
'employees only)',
'Customer contact details',
'Journey history (LNER)']},
'date_publicly_disclosed': '2023-09',
'description': 'Dentsu’s security incident within Merkle’s network led to '
'unauthorized access to files containing customer contact '
'details and journey information for LNER (London North '
'Eastern Railway). The breach also exposed bank, payroll, '
'salary, National Insurance numbers, and personal contact '
'details of Dentsu’s current/former employees and some '
'clients. No bank, payment card, or password information was '
'compromised for LNER customers. Dentsu engaged third-party '
'cyber incident response firms, notified law enforcement, and '
'offered affected employees credit/dark-web monitoring via '
'Experian Identity Plus.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Dentsu, LNER, and Merkle due to '
'third-party breach and exposure of '
'sensitive employee/client data',
'data_compromised': ['Customer contact details (LNER)',
'Previous journey information (LNER)',
'Bank/payroll details (Dentsu employees)',
'Salary information (Dentsu employees)',
'National Insurance numbers (Dentsu '
'employees)',
'Personal contact details (Dentsu '
'employees/clients)'],
'downtime': 'Some systems taken offline as a precaution (Merkle)',
'identity_theft_risk': 'High (for Dentsu employees due to exposed '
'PII and financial details)',
'operational_impact': ['Temporary pause of some LNER customer '
'communications',
'Ongoing investigation and notifications'],
'payment_information_risk': 'None (explicitly confirmed by LNER '
'for their customers)',
'systems_affected': ['Merkle’s network (Dentsu subsidiary)']},
'initial_access_broker': {'high_value_targets': ['Employee financial data '
'(Dentsu)',
'Client/customer data '
'(LNER)']},
'investigation_status': 'Ongoing (as of October 2023)',
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Campaign (Marketing/Advertising News)'},
{'date_accessed': '2023-09', 'source': 'LNER Press Release'},
{'date_accessed': '2023-10',
'source': 'Dentsu Employee Email Notification'}],
'regulatory_compliance': {'regulatory_notifications': ['Notifications sent in '
'accordance with '
'applicable law '
'(unspecified)']},
'response': {'communication_strategy': ['Press release by LNER (September '
'2023)',
'Direct notifications to affected '
'Dentsu employees (October 2023)',
'Media alerts to LNER customers',
'Public statements reassuring no '
'financial/password data was exposed'],
'containment_measures': ['Systems taken offline',
'Incident response protocols initiated'],
'enhanced_monitoring': ['Credit/dark-web monitoring for Dentsu '
'employees (Experian)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Systems brought back online (Merkle)'],
'third_party_assistance': ['Cybersecurity firm (unnamed)',
'Experian Identity Plus (for employee '
'monitoring)']},
'stakeholder_advisories': ['LNER customers advised to be cautious of '
'unsolicited communications',
'Dentsu employees offered credit/dark-web '
'monitoring'],
'title': 'Dentsu (Merkle) Data Breach Compromising LNER’s Customer Data',
'type': ['Data Breach', 'Third-Party Vendor Compromise']}