dentsu Breach Incident Score: Analysis & Impact (DEN0962609112125)

In this Rankiteo incident briefing, we review the dentsu breach identified under incident ID DEN0962609112125.

The analysis begins with a detailed overview of dentsu's information like the linkedin page: https://www.linkedin.com/company/dentsu-aegis-network, the number of followers: 1639223, the industry type: Advertising Services and the number of employees: 17547 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 800 and after the incident was 800 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on dentsu and their customers.

On 27 October 2023, Dentsu (including Merkle CX agency) disclosed Data Breach and Unauthorized Access issues under the banner "Dentsu Data Breach Affecting Former Employees and LNER Customers".

Dentsu reported a data breach where files containing personal and financial details of former employees (including bank/payroll details, salary, National Insurance numbers, and contact details) were exfiltrated from Merkle’s network.

The disruption is felt across the environment, affecting Merkle’s (Dentsu’s CX agency) network, and exposing Bank/payroll details, Salary information and National Insurance numbers.

In response, teams activated the incident response plan, and began remediation that includes Offered Experian Identity Plus (1-year subscription for credit/dark-web monitoring), and stakeholders are being briefed through Initial notification to affected individuals (27 Oct 2023), Encouraged monitoring of financial statements and No further updates provided.

The case underscores how Ongoing (ICO inquiry and internal investigation with cybersecurity firm), and recommending next steps like Improve data retention policies to comply with UK GDPR (max 7 years for HMRC-related records), Enhance transparency in post-breach communication (e.g., clarify which specific data was exposed per individual) and Proactively engage with affected parties to mitigate legal risks, with advisories going out to stakeholders covering Dentsu: Monitor financial statements; offered Experian Identity Plus and LNER: No bank/payment card/password data affected; investigation underway.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating unauthorized access to files containing sensitive personal and financial data (no explicit vector, but implies credential misuse) and Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating potential third-party security vulnerabilities (Merkle’s network). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate confidence (50%), supported by evidence indicating files containing personal and financial details... exfiltrated from Merkle’s network (implies poor access controls). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating files containing bank/payroll details, salaries, National Insurance numbers... exfiltrated and Data from Network Shared Drive (T1039) with moderate to high confidence (80%), supported by evidence indicating unauthorized access to files... from Merkle’s network (shared drives likely). Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (70%), supported by evidence indicating data exfiltration confirmed, but no specifics on method (default assumption). Under the Impact tactic, the analysis identified Data from Cloud Storage (T1530) with moderate confidence (60%), supported by evidence indicating lNER customer data exposed (suggests cloud/third-party storage access) and Data Destruction (T1485) with lower confidence (10%), supported by evidence indicating no explicit destruction mentioned, but data retained beyond legal limits (10+ years) (low confidence). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with lower confidence (40%), supported by evidence indicating no containment measures documented (possible log/trace cleanup inferred). Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.001) with moderate confidence (50%), supported by evidence indicating breach extended to LNER customer data (suggests lateral movement/persistence in cloud/third-party systems). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.