Dentsu, a global advertising and media network, suffered a security breach within its subsidiary Merkle’s network, resulting in the theft of sensitive files. The compromised data included personal and financial details of current and former employees, as well as some clients and suppliers. Exposed information comprised names, bank/payroll details, salaries, National Insurance numbers, and personal contact details.The company detected unusual network activity, triggering an immediate response: systems were taken offline, incident response protocols were activated, and third-party cybersecurity firms alongside law enforcement were engaged. While Dentsu restored operations, the investigation remains ongoing. Affected individuals were notified and offered credit/dark-web monitoring services via Experian Identity Plus to mitigate risks like identity theft or financial fraud.The breach coincides with Dentsu’s strategic review, including potential divestments of its international creative and media divisions, raising concerns about operational stability. The incident underscores vulnerabilities in handling highly sensitive employee and client data, with potential long-term reputational and financial repercussions.

Dentsu, a global advertising and marketing agency, suffered a significant data breach affecting its CX agency, Merkle. The incident involved unauthorized access to files containing sensitive personal and financial data of current and former employees, including bank/payroll details, salaries, National Insurance numbers, and contact information. The breach also extended to LNER (London North Eastern Railway) customer data, exposing contact details and journey histories, though no payment or password data was compromised. The breach triggered a complaint to the UK’s Information Commissioner’s Office (ICO), with affected ex-employees forming legal groups (one WhatsApp group exceeding 150 members) to pursue collective action. Dentsu acknowledged the leak exceeded legal reporting thresholds and offered affected individuals a year of Experian Identity Plus for monitoring. However, frustration persists over delayed notifications, unclear specifics of leaked data, and Dentsu’s retention of records beyond standard HMRC timelines (some ex-employees left over a decade ago). The ICO may impose fines (up to £8.7M or 2% of global turnover) if negligence is proven, separate from potential compensation claims.