On September 22, 2025, Merck, a New Jersey-based pharmaceutical company, was alerted that its third-party service provider, Graebel Companies, suffered a **data breach** exposing sensitive personal and financial information of current and former employees. The compromised data includes **names, dates of birth, addresses, phone numbers, Social Security numbers, and financial account details**, heightening risks of identity theft and fraud.The breach was formally disclosed to the Massachusetts Attorney General’s office on November 17, 2025, though the exact number of affected individuals remains undetermined. Merck collaborated with Graebel to contain the incident, strengthen security measures, and notify impacted employees. As a remedial step, Merck is providing **24 months of complimentary credit monitoring and identity theft protection** via TransUnion.The exposure of **personally identifiable information (PII) and financial records**—particularly through a third-party vendor—underscores vulnerabilities in supply chain cybersecurity and the potential for long-term reputational and financial harm to both employees and the company.
Source: https://www.claimdepot.com/data-breach/merck-2025
Merck cybersecurity rating report: https://www.rankiteo.com/company/merck
"id": "MER3502435111825",
"linkid": "merck",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare/Pharmaceutical',
'location': 'New Jersey, USA',
'name': 'Merck Sharp & Dohme LLC',
'type': 'Pharmaceutical Company'},
{'customers_affected': 'Current and former Merck '
'employees (number unknown, '
'potentially significant)',
'industry': 'Relocation/Logistics',
'location': 'USA',
'name': 'Graebel Companies',
'type': 'Service Provider'}],
'customer_advisories': 'Public disclosure via regulatory notification; '
'individual notifications sent to affected employees',
'data_breach': {'number_of_records_exposed': 'Unknown (potentially '
'significant)',
'personally_identifiable_information': ['Names',
'Dates of birth',
'Addresses',
'Phone numbers',
'Social Security '
'numbers'],
'sensitivity_of_data': 'High (includes SSNs and financial '
'account information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Information']},
'date_detected': '2025-09-22',
'date_publicly_disclosed': '2025-11-17',
'description': 'On Sept. 22, 2025, Merck Sharp & Dohme LLC (Merck) was '
'notified that its U.S.-based service provider, Graebel '
'Companies, experienced a data breach exposing sensitive '
'personal information of current and former Merck employees. '
'The breach was disclosed to the Massachusetts Attorney '
'General’s office on Nov. 17, 2025. Compromised data may '
'include names, dates of birth, addresses, phone numbers, '
'Social Security numbers, and financial account information, '
'putting individuals at risk for identity theft and fraud.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive employee data',
'data_compromised': ['Names',
'Dates of birth',
'Addresses',
'Phone numbers',
'Social Security numbers',
'Financial account information'],
'identity_theft_risk': 'High (due to exposure of PII and financial '
'information)',
'payment_information_risk': 'High (financial account information '
'exposed)'},
'investigation_status': 'Ongoing (scope and full impact not yet determined)',
'post_incident_analysis': {'corrective_actions': ['Enhanced security '
'protocols by Graebel '
'Companies',
'Credit monitoring and '
'identity theft protection '
'services for affected '
'individuals']},
'recommendations': ['Monitor credit and financial accounts for suspicious '
'activity',
'Enroll in complimentary credit monitoring and identity '
'theft protection services (provided by TransUnion for 24 '
'months)'],
'references': [{'source': 'Massachusetts Attorney General’s Office '
'Disclosure'}],
'regulatory_compliance': {'regulatory_notifications': 'Disclosed to '
'Massachusetts Attorney '
'General’s office'},
'response': {'communication_strategy': 'Direct communication with affected '
'individuals',
'containment_measures': 'Implemented by Graebel Companies',
'incident_response_plan_activated': True,
'remediation_measures': 'Enhanced security protocols by Graebel',
'third_party_assistance': 'Collaboration with Graebel Companies'},
'stakeholder_advisories': 'Direct notifications sent to affected individuals',
'title': 'Data Breach at Merck via Third-Party Service Provider Graebel '
'Companies',
'type': 'Data Breach (Third-Party)'}