Dentsu reports data breach at U.S. subsidiary Merkle exposing employee and client data

Japanese advertising giant Dentsu Group is reporting a cybersecurity incident affecting its U.S.-based subsidiary Merkle, resulting in the theft of sensitive employee, client, and supplier data. Merkle operates as Dentsu's customer experience management (CXM) and data-driven marketing agency. Merkle's client portfolio includes Nestle, American Express, Intel, Microsoft, Procter & Gamble, Cox Communications, 7-Eleven, Burger King, Subway, J.P. Morgan, Diageo, Heineken, Hilton Hotels, Sanofi, Samsung, Kimberly-Clark, Sony, Kellogg's, and Volkswagen.

The breach was detected on October 27, 2025, and forced the company to take systems offline as part of its incident response measures.

Third-party cybersecurity incident response firms were engaged to assist with the investigation and remediation efforts. Law enforcement authorities were notified, and in the United Kingdom, the company reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).

The investigation confirmed that hackers stole certain files from Merkle's network containing sensitive personal and financial information relating to current and former employees, as well as information about some clients and suppliers. Exposed data includes:

• Names
• Bank account details
• Payroll information
• Salary details
• National Insurance numbers
• Personal contact information (addresses, phone numbers, email addresses)

The number of affected individuals and the nature of the attack is not disclosed. 

Following the containment efforts, Dentsu has confirmed that affected systems have been brought back online and that the company is now fully operational. The company is offering current and former employees impacted by the breach a complimentary one-year subscription to credit monitoring and dark web monitoring services.