More than 150 ex-Dentsu employees plan legal action for data breach

The Information Commissioner’s Office has received a complaint about Dentsu’s data breach, as frustration mounts among former employees affected.

The ICO said the complaint would be “considered in line with [its] standard complaints process” and that it would make inquiries into the incident.

Dentsu had already reported the incident to the public body because the scale of the leak exceeded the legal threshold at which organisations must inform the ICO.

Campaign understands several informal groups of ex-employees are considering collective legal action against Dentsu after being told their data had been breached. One WhatsApp group has more than 150 members. 

A “Join the Claim” page has also been set up, which connects people with regulated UK law firms that run group action claims.

The initial message from Dentsu to those affected, sent on 27 October, said that its investigation identified that “certain files were taken from Merkle’s [Dentsu's CX agency] network”. It added that it “anticipated” the files included bank and payroll details, salary, National Insurance number, and personal contact details.

The message further explained that Dentsu had informed law enforcement, launched an investigation with assistance from a cybersecurity firm, and encouraged those affected to monitor their financial statements. The company also offered a year’s subscription to Experian Identity Plus, a credit and dark-web monitoring service.

In private conversations with Campaign, former Dentsu employees said they were disappointed not to have been contacted further and are unsure which specific details of theirs have been leaked.

Others are frustrated at the length of time Denstu has retained data for, as some of those affected left the business more than 10 years ago. 

The default standard retention period for HMRC records is seven years (or six years, plus the current financial year). Under UK GDPR and the Data Protection Act 2018, personal data processed by HMRC must not be retained for longer than is necessary for its lawful purpose.

When contacted by Campaign, a Dentsu spokesperson at the time of Campaign's original reporting said: “A review of those files determined that they contained information relating to some clients, suppliers and current and former employees.” 

Following the complaint, the ICO could make recommendations to the organisation on how to improve its information rights practices. In severe cases, it could enforce financial penalties: the standard maximum is US$11.4 million (£8.7 million) or 2% of the company's global turnover. This penalty would be separate from any compensation awarded to those affected.

Jo Sanders, a partner at Withers, specialising in data and information disputes, said: “It is too early to tell exactly what the consequences might be, but it seems that Dentsu is offering the recommended steps, such as enhanced monitoring for fraud. Not every data breach means that there has been a failure to meet security standards and even the most well-maintained systems can be vulnerable to malicious attacks.      

“Those employees whose details have been disclosed would only have a claim for compensation if what has occurred is a breach of data protection obligations, the main one of which is to maintain adequate security. The fear of the consequences of personal details being leaked can in theory lead to a claim for compensation but it can't be purely speculative.” 

The breach also compromised LNER customer data, with the train operator telling customers: “We have been made aware of unauthorised access to files managed by a third-party supplier, which involves customer contact details and some information about previous journeys.”

A spokesperson for LNER confirmed to Campaign that “no bank, payment card, or password information had been affected” and a “thorough investigation” was underway.

The breach comes amid speculation over Dentsu's future, after the Japanese-owned network appointed bankers to sound out buyers for its international creative and media business.