Breach cyber

Merck Sharpe & Dohme LLC

Sep 1, 2025 2 min read
Merck Sharpe & Dohme LLC

In September 2025, Merck Sharpe & Dohme LLC experienced a data breach via its third-party service provider, Graebel Companies Inc., which manages employee relocation services. Unauthorized access to Graebel’s systems exposed sensitive personally identifiable information (PII) of current and former Merck employees. The compromised data includes names, dates of birth, addresses, phone numbers, Social Security numbers, and financial account details. Merck confirmed the breach after an internal review and reported it to the Massachusetts Attorney General’s office in November 2025. Affected individuals were notified, and the company offered free identity theft protection services (Cyberscout) to mitigate risks. The full scope of the breach remains undetermined but is potentially significant, with legal firms investigating compensation claims for victims, including reimbursement for financial losses, time spent resolving issues, and emotional distress.

Source: https://www.claimdepot.com/investigations/merck-data-breach-2025

MSD cybersecurity rating report: https://www.rankiteo.com/company/msd-global

"id": "MSD0602706111825",
"linkid": "msd-global",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'healthcare/pharmaceuticals',
                        'location': 'Rahway, New Jersey, USA',
                        'name': 'Merck Sharpe & Dohme LLC',
                        'size': 'multinational (large)',
                        'type': 'pharmaceutical company'},
                       {'customers_affected': 'current and former Merck '
                                              'employees',
                        'industry': 'employee relocation management',
                        'location': 'USA',
                        'name': 'Graebel Companies Inc.',
                        'type': 'service provider'}],
 'attack_vector': ['unauthorized access', 'supply chain compromise'],
 'customer_advisories': ['Free identity theft protection (Cyberscout)',
                         'Fraud alert and credit report recommendations',
                         'Legal compensation eligibility'],
 'data_breach': {'data_exfiltration': 'likely (under investigation)',
                 'personally_identifiable_information': ['name',
                                                         'date of birth',
                                                         'address',
                                                         'phone number',
                                                         'Social Security '
                                                         'number'],
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information (PII)',
                                              'financial account information']},
 'date_detected': '2025-09',
 'date_publicly_disclosed': '2025-11-17',
 'description': 'Merck Sharpe & Dohme LLC, a multinational pharmaceutical '
                'company, experienced a data breach through its U.S.-based '
                'service provider, Graebel Companies Inc., which handles '
                'employee relocation management services. Unauthorized access '
                "to Graebel's systems exposed sensitive personally "
                'identifiable information (PII) of current and former Merck '
                'employees. The breach was detected in September 2025, with '
                'Merck completing its review by October 20, 2025. '
                'Notifications were sent to affected individuals, and the '
                'incident was reported to the Massachusetts Attorney General’s '
                'office on November 17, 2025. The full extent of the breach is '
                'not yet known but is potentially significant.',
 'impact': {'brand_reputation_impact': 'potential (ongoing investigation)',
            'data_compromised': True,
            'identity_theft_risk': 'high (PII exposed)',
            'legal_liabilities': 'potential (class action lawsuits initiated)',
            'payment_information_risk': 'high (financial account information '
                                        'exposed)',
            'systems_affected': ['Graebel Companies Inc. systems']},
 'initial_access_broker': {'high_value_targets': ['employee PII and financial '
                                                  'data']},
 'investigation_status': 'ongoing (full extent of breach not yet known)',
 'recommendations': ['Monitor financial accounts for suspicious activity',
                     'Sign up for free Cyberscout identity theft protection '
                     'services',
                     'Place a fraud alert with credit bureaus',
                     'Request free annual credit reports',
                     'Seek legal counsel for compensation eligibility'],
 'references': [{'source': 'Shamis & Gentile P.A. (class action '
                           'investigation)'},
                {'date_accessed': '2025-11-17',
                 'source': 'Massachusetts Attorney General’s office (breach '
                           'notification)'}],
 'regulatory_compliance': {'legal_actions': ['class action lawsuits '
                                             '(investigated by Shamis & '
                                             'Gentile P.A.)'],
                           'regulatory_notifications': ['Massachusetts '
                                                        'Attorney General’s '
                                                        'office (reported on '
                                                        '2025-11-17)']},
 'response': {'communication_strategy': ['direct mailing to affected '
                                         'individuals',
                                         'public disclosure via Massachusetts '
                                         'Attorney General’s office',
                                         'legal advisories via Shamis & '
                                         'Gentile P.A.'],
              'containment_measures': ['system access restrictions (by '
                                       'Graebel)'],
              'incident_response_plan_activated': True,
              'recovery_measures': ['notifications to affected individuals',
                                    'free identity theft protection services '
                                    '(Cyberscout)'],
              'third_party_assistance': ['Cyberscout (identity theft '
                                         'protection services)']},
 'stakeholder_advisories': ['notifications mailed to affected individuals'],
 'title': 'Merck Sharpe & Dohme LLC Data Breach via Graebel Companies Inc.',
 'type': ['data breach', 'third-party breach']}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.