Dentsu Subsidiary Breached, Employee Data Stolen

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.A subsidiary of Japanese marketing and PR giant Dentsu lost sensitive data to unidentified threat actors, the parent company said.October 29, 2025A major marketing and PR firm lost sensitive employee data in a cyberattack.Merkle, a US-based subsidiary of publicly owned Japanese marketing company Dentsu, was breached by an unidentified threat actor, according to a disclosure published to Dentsu's website. Merkle is best known as a customer experience management (CXM) firm.Dentsu said it detected unusual activity on Merkle's network and initiated incident response protocols, including engaging a "cybersecurity firm that has worked with other companies to address similar situations." The company said it "took steps to contain" the attack and launched an investigation. It also notified law enforcement as well as the UK's Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC), as Merkle is considered a division of Dentsu UK Limited.In the disclosure, Dentsu said certain files containing information about current and former employees were stolen from Merkle's network, files. "Our investigation is ongoing; however, at present we anticipate that the files include bank and payroll details, salary, National Insurance number, and personal contact details," Dentsu said.The company has "sought to notify" all potentially impacted employees and "taken measures to prevent the public disclosure of the data."Related:SonicWall Firewall Backups Stolen by Nation-State ActorAlthough the nature of the attack is unknown, the presence of language such as "took steps to contain" and "taken measures to prevent the public disclosure of the data" is frequently associated with data extortion or ransomware attacks. Dark Reading asked Dentsu whether ransomware was involved in the incident, whether an extortion demand was made, and whether the company or an intermediary paid an extortion demand. A spokesperson declined to respond directly to the questions, though they offered a statement from the company.The statement reiterates details from the disclosure post, though it includes details absent from the latter. As part of the company's incident response protocols, Dentsu temporarily took some systems offline out of precaution. Since then, all systems have been brought back online and are operational.Regarding stolen data, it appears to extend beyond current and former employees. "The investigation identified that certain files were taken from Merkle's network. A review of those files determined that they contained information relating to some clients, suppliers, and current and former employees," the statement reads. "Although our investigation remains ongoing, we have begun the notification process in accordance with applicable law."Related:Nikkei Suffers Breach Via Slack CompromiseTo support impacted employees, Dentsu is offering those affected a year of credit and Dark Web monitoring. The disclosure warned that stolen data could be used in phishing, identity fraud, or other social engineering attacks. "We encourage all those potentially affected to remain vigilant at the present time by reviewing their financial account statements for any unauthorized activity," Dentsu said.Enterprises losing sensitive data to threat actors is nothing new, and unfortunately, it's a problem that doesn't seem to be going away anytime soon. Shaked Tanchuma Yogev, director of incident response (IR) at Wiz, tells Dark Reading that in an incident such as this one, the IR process needs to move quickly and methodically.For most organizations, Wiz recommends the National Institute of Stands and Technology's (NIST's) framework, which is built around multiple phases, including preparation (defining roles, responsibilities, communication plans, and tools before an incident occurs); detection and analysis (confirming whether an incident has occurred, as well as its scope); containment, eradication, and recovery as it relates to the threat; and post-incident review. Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksFor data theft specifically, the incident will follow the guidance of the legal team, which Tanchuma Yogev says will work hand-in-hand with HR and cybersecurity teams to classify information and determine the sensitivity of data stolen. This is then followed by notifying affected persons, following the appropriate legal procedures according to the location of the organization, and rotating secrets if anything like credentials were exposed.  "Every incident is different, but the goal is always the same: limit damage, learn from the experience, and protect the people and data at the heart of the business," Tanchuma Yogev says.Matan Naftali, enterprise security expert at cyber readiness and incident response firm Sygnia, tells Dark Reading that to limit the chance of something similar happening to them, organizations should prioritize proactive data and access controls. This includes classifying and minimizing retention on critical HR and payroll data, applying encryption in transit and at rest, and following least-privilege principles. In addition to these and other best practices, organizations should also consider "conducting recurring threat hunts aligned with observed [tactics, techniques, and procedures] and follow up with a red-team validation to confirm that fixes are effective."Alexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.