Full Report
Japanese advertising giant Dentsu has disclosed that its U.S.-based subsidiary Merkle suffered a cybersecurity incident that exposed staff and client data. [...]
Analysis Summary
# Incident Report: Dentsu/Merkle Data Exposure Incident
## Executive Summary
Japanese advertising giant Dentsu disclosed a cybersecurity incident affecting its U.S.-based subsidiary, Merkle. The breach resulted in the unauthorized exfiltration of staff and client data, forcing the company to proactively shut down certain systems. Third-party incident response services were engaged to manage the ongoing investigation into the full scope of the compromise.
## Incident Details
- Discovery Date: Not explicitly stated, but indicated as "detected abnormal activity."
- Incident Date: Not explicitly stated.
- Affected Organization: Merkle (U.S.-based subsidiary of Dentsu).
- Sector: Advertising, Marketing, and Customer Experience Management (CXM).
- Geography: Primarily U.S.-based operations (Merkle), with Dentsu Group affected globally by the news.
## Timeline of Events
### Initial Access
- Date/Time: Unknown.
- Vector: Unknown specific entry point, but access was gained to Merkle's network.
- Details: Attackers gained access leading to "abnormal activity" within a portion of Merkle's network.
### Lateral Movement
- Details: Attackers successfully accessed files containing sensitive information, indicating successful internal movement within the targeted environment.
### Data Exfiltration/Impact
- Details: Investigation confirmed that "certain files were taken from Merkle’s network." The compromised data included information relating to clients, suppliers, and current/former employees.
### Detection & Response
- Detection: Incident detected via monitoring finding "abnormal activity within part of the network of Merkle."
- Response Actions: Immediate initiation of incident response procedures, proactive shutdown of certain systems to minimize impact, and notification to relevant authorities in impacted countries.
## Attack Methodology
*(Note: The provided article is high-level and does not detail specific TTPs like C2 or specific malware. Details below are inferred based on the impact description.)*
- Initial Access: Unknown.
- Persistence: Not disclosed.
- Privilege Escalation: Not disclosed.
- Defense Evasion: Not disclosed.
- Credential Access: Not disclosed.
- Discovery: Not disclosed.
- Lateral Movement: Successful movement to access files containing sensitive internal data (client, employee PII/payroll).
- Collection: Specific files relating to employees (bank details, payroll, NI numbers) and client/supplier information were collected.
- Exfiltration: Confirmed data theft ("certain files were taken").
- Impact: Data theft of sensitive personnel and business records.
## Impact Assessment
- Financial: Expected to have "some financial impact" on Dentsu Group, although specific figures are not disclosed.
- Data Breach: Stolen data included:
- Staff bank and payroll details.
- Salary information.
- National Insurance (NI) numbers.
- Personal contact details for current and former employees.
- Information relating to some clients and suppliers.
- Operational: Certain affected systems were proactively taken offline as part of the response plan. Dentsu's Japan-based network systems were stated as not impacted.
- Reputational: A major international advertising group disclosing a breach affecting employee PII and client data.
## Indicators of Compromise
- Network indicators: None provided.
- File indicators: None provided.
- Behavioral indicators: Detection of "abnormal activity" on the network.
## Response Actions
- Containment measures: Proactively shut down certain systems as a precaution.
- Eradication steps: Currently ongoing, with third-party incident response services engaged to assist with the investigation.
- Recovery actions: In process, aimed at restoring affected systems after securing the environment.
## Lessons Learned
- Criticality of identifying high-value data repositories (employee payroll/PII) accessible over the network.
- The need for swift and decisive action, including proactive system shutdowns, when detecting anomalous activity.
- What could have been done better: The specific vulnerability used for initial access remains unknown, suggesting potential gaps in initial access prevention or monitoring controls.
## Recommendations
- Immediately conduct a comprehensive forensic review to identify the precise initial point of entry and all TTPs used by the threat actor.
- Review and strictly enforce access controls and segmentation around sensitive HR and payroll data within Merkle’s environment.
- Implement enhanced monitoring for anomalous file access patterns, especially bulk file retrieval from internal repositories.
- Ensure all potentially impacted current and former employees are notified in compliance with local jurisdictional requirements regarding PII theft (including bank details and NI numbers).