Dentsu Merkle Cyberattack Exposes Client Data in 2025 and What Organisations Should Do Next

What Happened in the Dentsu Merkle Cyberattack?

Dentsu Merkle, a major global marketing and technology services company, confirmed that it suffered a cybersecurity incident in 2025 that exposed data belonging to clients and consumers. The attack led to the compromise of internal systems and triggered an internal investigation as well as external notifications to affected parties.

While full forensic details are still emerging, early reporting indicates that the attackers gained access through exposed or misconfigured systems, suggesting a combination of misconfiguration and possible exploitation of known vulnerabilities. The attackers were able to extract sensitive data before the company contained the incident.

Data breaches of this nature are increasingly common because threat actors do not necessarily need sophisticated zero day exploits to be successful. In many cases, they rely on a chain of misconfigurations, unpatched software, exposed administrative interfaces, and weak authentication to gain access and move laterally inside enterprise environments.

Why This Attack Matters to Businesses

Several aspects of the Dentsu Merkle cyberattack make it a critical lesson for organisations of all sizes:

First, it affects a major service provider that handles client data across industries including retail, finance, healthcare, and technology. This means that the impact can ripple outward, affecting partner organisations and clients who rely on services from Dentsu Merkle.

Second, breaches originating from configuration weaknesses or unpatched systems remain powerful entry points for attackers. Modern threat actors scan for exposed services and known vulnerabilities across the internet, looking for easy access into large enterprise networks.

Third, these incidents erode consumer trust. When consumer or client data is exposed, organisations face regulatory scrutiny, potential fines, brand damage, and long term reputational harm.

Finally, such attacks underscore the need for proactive cybersecurity measures beyond perimeter firewalls. Today’s security posture must include vulnerability management, penetration testing, identity and access controls, and incident response planning.

Common Paths to Enterprise Compromise

In enterprise incidents like this one, threat actors often exploit a combination of the following:

1. Unpatched Software and Known CVEs
   Many attacks begin with exploitation of known software vulnerabilities tracked with CVE identifiers. Organisations that do not patch in a timely manner leave systems exposed to attackers who automate exploit attempts across thousands of targets.

2. Misconfigurations and Exposed Interfaces
   Misconfigured servers or services left accessible from the public internet provide the first foothold into internal networks. This includes exposed administrative panels, unsecured APIs, or overly permissive cloud storage buckets.

3. Credential Compromise and Phishing
   Weak passwords and lack of multifactor authentication are still common. A successful phishing attempt can give attackers credentials which then allow direct access to internal systems.

4. Lateral Movement
   Once inside a low level service or account, attackers often escalate privileges and move laterally to find valuable data or system controls. This is often facilitated by weak internal segmentation and lack of monitoring.

5. Exfiltration of Data
   After gaining access, attackers gather sensitive information and exfiltrate it. Detection is often slow because attackers may attempt to blend in with normal traffic patterns.

Any combination of these factors can undermine an enterprise. In many 2025 breaches, attackers did not need a “zero day” exploit. Instead, they chained moderately risky vulnerabilities with misconfigurations to achieve full compromise.

Examples of Real World Exploitation Methods

To understand how attackers may have operated in an incident like this one, consider these scenarios:

Scenario 1: An exposed database instance is reachable from the internet due to missing firewall rules. An attacker finds it via automated scanning and uses SQL injection or a configuration oversight to query sensitive tables.

Scenario 2: A web application uses an outdated third party library with a known vulnerability listed as a CVE. The attacker exploits the flaw to upload malicious code and gain shell access to servers.

Scenario 3: Employees are targeted with phishing emails that capture login credentials. Because multifactor authentication is not enforced for all services, the attacker uses the stolen credentials to access internal dashboards.

Scenario 4: A misconfigured cloud storage bucket allows read and write access. The attacker retrieves data directly from the bucket or introduces malware that infects systems connected to that storage.

These methods highlight why both vulnerability management and secure configuration are essential components of cybersecurity.

Why CVE Tracking and Patch Management Still Matter

Vulnerability management is a core pillar of cybersecurity. Every month security researchers and vendors publish new CVE entries for vulnerabilities that attackers may exploit. Each CVE has a severity score, published details on affected products, and often proof of concept exploit code.

Delayed patching gives attackers time to automate exploitation and target a wide range of victims. Even when a patch is available, failure to deploy it across all environments sustains exposure.

Best practices include:

• Maintaining an up to date inventory of all software, libraries, and services

• Tracking published CVEs relevant to your stack

• Prioritising critical or high severity vulnerabilities for rapid patching

• Using vulnerability scanning tools to validate patch status

• Ensuring third party vendors related to your platform also maintain strong patch cycles

Organisations that automate parts of this process reduce the window between disclosure and remediation, significantly reducing risk.

How Penetration Testing Can Protect Your Organisation

Penetration testing simulates real world attack conditions to uncover weaknesses before they are exploited by malicious actors. A thorough penetration test does more than scan for CVEs. It evaluates how systems respond when an attacker:

• Exploits unpatched vulnerabilities

• Attempts lateral movement after initial compromise

• Escalates privileges between environments

• Exfiltrates sensitive data without triggering alerts

By engaging in periodic penetration testing, organisations can see how their security posture holds up under professional scrutiny. Testers will often probe:

• External exposed services

• Internal network segmentation

• Authentication and session handling

• API endpoints and integration points

• Cloud storage configurations

The insights from penetration testing help organisations fix critical gaps that automated scanners or compliance checklists may miss.

What Organisations Should Do Now

In response to this kind of breach, organisations should adopt a layered approach:

Strengthen identity and access controls
Enforce strong authentication including multifactor authentication for all user access.

Conduct an immediate configuration audit
Identify exposed services or misconfigurations that could be exploited.

Accelerate patch management cycles
Deploy critical fixes for known CVEs and monitor for new disclosures.

Run penetration tests that mirror real threat scenarios
This identifies hidden gaps and tests incident response readiness.

Monitor logs and network activity
Use analytics to identify normal patterns so anomalies stand out.

Train employees on social engineering risks
Human error remains one of the easiest attack pathways.

Review third party and vendor risk
Ensure that partners and technology providers also maintain strong security practices.

Key Takeaway

The Dentsu Merkle cyberattack is a reminder that today’s attackers use both technology and human factors to succeed. They often do not need an undisclosed zero day exploit. Instead, they leverage exposed systems, known vulnerabilities, poorly configured services, and unprotected credentials.

Organisations must combine tactical measures like CVE tracking, penetration testing, and patching with strategic investments in security training, identity controls, and infrastructure hardening. Doing so not only reduces the risk of breach but also improves detection and response when incidents occur.