Dentsu Subsidiary Breached, Employee Data Stolen TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesData PrivacyVulnerabilities & ThreatsCybersecurity OperationsNewsDentsu Subsidiary Breached, Employee Data StolenDentsu Subsidiary Breached, Employee Data StolenDentsu Subsidiary Breached, Employee Data StolenA subsidiary of Japanese marketing and PR giant Dentsu lost sensitive data to unidentified threat actors, the parent company said.Alexander Culafi, Senior News Writer, Dark ReadingOctober 29, 20254 Min ReadSource: Phanie - Sipa Press via Alamy Stock PhotoA major marketing and PR firm lost sensitive employee data in a cyberattack.Merkle, a US-based subsidiary of publicly owned Japanese marketing company Dentsu, was breached by an unidentified threat actor, according to a disclosure published to Dentsu's website. Merkle is best known as a customer experience management (CXM) firm.Dentsu said it detected unusual activity on Merkle's network and initiated incident response protocols, including engaging a "cybersecurity firm that has worked with other companies to address similar situations." The company said it "took steps to contain" the attack and launched an investigation. It also notified law enforcement as well as the UK's Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC), as Merkle is considered a division of Dentsu UK Limited.Dentsu Employee Data StolenIn the disclosure, Dentsu said certain files containing information about current and former employees were stolen from Merkle's network, files. "Our investigation is ongoing; however, at present we anticipate that the files include bank and payroll details, salary, National Insurance number, and personal contact details," Dentsu said.The company has "sought to notify" all potentially impacted employees and "taken measures to prevent the public disclosure of the data."Related:Cybersecurity Firms See Surge in AI-Powered Attacks Across AfricaAlthough the nature of the attack is unknown, the presence of language such as "took steps to contain" and "taken measures to prevent the public disclosure of the data" is frequently associated with data extortion or ransomware attacks. Dark Reading asked Dentsu whether ransomware was involved in the incident, whether an extortion demand was made, and whether the company or an intermediary paid an extortion demand. A spokesperson declined to respond directly to the questions, though they offered a statement from the company.The statement reiterates details from the disclosure post, though it includes details absent from the latter. As part of the company's incident response protocols, Dentsu temporarily took some systems offline out of precaution. Since then, all systems have been brought back online and are operational.Regarding stolen data, it appears to extend beyond current and former employees. "The investigation identified that certain files were taken from Merkle's network. A review of those files determined that they contained information relating to some clients, suppliers, and current and former employees," the statement reads. "Although our investigation remains ongoing, we have begun the notification process in accordance with applicable law."Related:YouTube Ghost Network Utilizes Spooky Tactics to Target UsersTo support impacted employees, Dentsu is offering those affected a year of credit and Dark Web monitoring. The disclosure warned that stolen data could be used in phishing, identity fraud, or other social engineering attacks. "We encourage all those potentially affected to remain vigilant at the present time by reviewing their financial account statements for any unauthorized activity," Dentsu said.The Ever-Looming Threat of Data TheftEnterprises losing sensitive data to threat actors is nothing new, and unfortunately, it's a problem that doesn't seem to be going away anytime soon. Shaked Tanchuma Yogev, director of incident response (IR) at Wiz, tells Dark Reading that in an incident such as this one, the IR process needs to move quickly and methodically.For most organizations, Wiz recommends the National Institute of Stands and Technology's (NIST's) framework, which is built around multiple phases, including preparation (defining roles, responsibilities, communication plans, and tools before an incident occurs); detection and analysis (confirming whether an incident has occurred, as well as its scope); containment, eradication, and recovery as it relates to the threat; and post-incident review. Related:Qilin Targets Windows Hosts With Linux-Based RansomwareFor data theft specifically, the incident will follow the guidance of the legal team, which Tanchuma Yogev says will work hand-in-hand with HR and cybersecurity teams to classify information and determine the sensitivity of data stolen. This is then followed by notifying affected persons, following the appropriate legal procedures according to the location of the organization, and rotating secrets if anything like credentials were exposed.  "Every incident is different, but the goal is always the same: limit damage, learn from the experience, and protect the people and data at the heart of the business," Tanchuma Yogev says.Matan Naftali, enterprise security expert at cyber readiness and incident response firm Sygnia, tells Dark Reading that to limit the chance of something similar happening to them, organizations should prioritize proactive data and access controls. This includes classifying and minimizing retention on critical HR and payroll data, applying encryption in transit and at rest, and following least-privilege principles. In addition to these and other best practices, organizations should also consider "conducting recurring threat hunts aligned with observed [tactics, techniques, and procedures] and follow up with a red-team validation to confirm that fixes are effective."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

A subsidiary of Dentsu, a major Japanese marketing and public relations company, experienced a significant data breach in which sensitive employee information was stolen by unidentified threat actors. The incident involved Merkle, a U.S.-based subsidiary of Dentsu, which operates as a customer experience management (CXM) firm. According to Dentsu’s disclosure, the breach was detected through unusual network activity, prompting immediate incident response protocols. The company engaged a cybersecurity firm with prior experience in similar cases, initiated containment measures, and launched an investigation. Dentsu also reported notifying law enforcement as well as the UK’s Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC), given Merkle’s status as a division of Dentsu UK Limited. The stolen data reportedly includes bank and payroll details, salary information, National Insurance numbers, and personal contact information for current and former employees. Additionally, the investigation revealed that certain files containing data related to clients, suppliers, and other stakeholders were also compromised. While Dentsu has taken steps to prevent the public disclosure of the stolen information, it warned that the data could be exploited for phishing, identity fraud, or other social engineering attacks. Affected employees have been notified and offered a year of credit monitoring and Dark Web surveillance to mitigate potential risks. The company emphasized the importance of vigilance, urging those impacted to review financial accounts for unauthorized activity.

The breach highlights the persistent threat of data theft in corporate environments, a challenge that organizations continue to grapple with despite evolving cybersecurity measures. Shaked Tanchuma Yogev, director of incident response at Wiz, emphasized the critical need for a structured and methodical approach to managing such incidents. Drawing on the National Institute of Standards and Technology (NIST) framework, he outlined key phases of incident response: preparation, detection and analysis, containment and eradication, recovery, and post-incident review. For data theft specifically, Tanchuma Yogev noted that legal teams play a central role in classifying the stolen information and determining its sensitivity. This process involves collaboration with human resources and cybersecurity teams to ensure compliance with legal requirements, such as notifying affected individuals in accordance with regional data protection laws. Additionally, organizations must prioritize the rotation of credentials or other compromised assets if they were exposed during the breach. Tanchuma Yogev stressed that while each incident is unique, the overarching goal remains consistent: minimizing harm, learning from the event, and safeguarding both organizational assets and employee well-being.

Matan Naftali, an enterprise security expert at Sygnia, a firm specializing in incident response and cyber readiness, offered further insights into preventing similar breaches. He advocated for proactive measures, including the implementation of robust data and access controls. This includes classifying sensitive information such as HR and payroll records, minimizing their retention periods, and applying encryption both in transit and at rest. Naftali also underscored the importance of adhering to least-privilege principles, which limit user access to only the data necessary for their roles. Beyond these foundational practices, he recommended conducting recurring threat hunts aligned with observed tactics, techniques, and procedures (TTPs) of adversaries. These exercises should be followed by red-team validations to confirm the effectiveness of implemented safeguards. By integrating such strategies, organizations can reduce their attack surface and enhance their resilience against sophisticated cyber threats.

The incident also raises broader questions about the evolving nature of cyberattacks and the challenges faced by companies in protecting their digital infrastructure. While Dentsu’s response included temporary system downtime and subsequent restoration of operations, the lack of clarity regarding whether ransomware was involved or if an extortion demand was made highlights gaps in transparency. A spokesperson for Dentsu declined to confirm or deny these details, citing the ongoing nature of the investigation. This ambiguity underscores the complexity of modern cyber incidents, where threat actors often employ multi-faceted tactics that blur the lines between data theft, ransomware, and other forms of cybercrime. The case also reflects a growing trend in which attackers target not only internal data but also third-party vendors, as seen in the compromise of Merkle’s systems. This interconnectedness necessitates a holistic approach to cybersecurity, where organizations evaluate the security postures of their partners and suppliers as rigorously as their own.

The breach serves as a reminder of the critical role that employee education and awareness play in mitigating cyber risks. Dentsu’s warning about the potential misuse of stolen data for phishing and identity fraud underscores the need for continuous training to help employees recognize and respond to social engineering attempts. Such efforts should be complemented by technical safeguards, including multi-factor authentication (MFA) and regular security audits. Moreover, the incident highlights the importance of maintaining up-to-date incident response plans that account for both internal and external threats. As cybercriminals increasingly leverage advanced tools and techniques, organizations must remain agile in adapting their defenses to counter emerging risks.

The broader implications of this breach extend beyond Dentsu and Merkle, reflecting systemic vulnerabilities within the corporate sector. The theft of employee data not only exposes individuals to financial and reputational harm but also erodes trust in the organizations responsible for safeguarding their information. This dynamic is exacerbated by the global scale of modern data ecosystems, where sensitive information can traverse multiple jurisdictions and third-party systems. In response to such challenges, regulatory frameworks like the General Data Protection Regulation (GDPR) and other regional data protection laws have imposed stringent requirements on organizations to report breaches promptly and implement robust security measures. However, compliance with these regulations alone is insufficient; companies must also adopt a culture of cybersecurity that prioritizes continuous improvement and proactive risk management.

As the digital landscape continues to evolve, the lessons from Dentsu’s breach reinforce the need for organizations to balance technological defenses with human-centric strategies. While advanced threat detection systems and encryption technologies are essential, they must be accompanied by clear policies, comprehensive training programs, and a commitment to transparency. The case also underscores the value of collaboration between cybersecurity professionals, legal experts, and business leaders in crafting effective responses to incidents. By integrating these elements, organizations can better navigate the complexities of modern cyber threats and protect both their operational integrity and the trust of their stakeholders. Ultimately, the incident serves as a cautionary tale about the persistent and adaptive nature of cybercrime, emphasizing the importance of vigilance, preparedness, and resilience in an increasingly interconnected world.