Merck Employee Data Breached in Third-Party Vendor Incident
Merck Discloses Data Breach Affecting Employees After Vendor Graebel Companies Suffers Security Incident
Related Entities
Other
Full Report
Executive Summary
Pharmaceutical company Merck Sharp & Dohme LLC (Merck) has notified current and former employees of a data breach that exposed their sensitive personal and financial information. The breach was the result of a cybersecurity incident at Graebel Companies, a U.S.-based service provider used by Merck. Graebel notified Merck of the incident on September 22, 2025, and the breach was formally reported to the Massachusetts Attorney General's office on November 17, 2025. The compromised data includes names, dates of birth, Social Security numbers, and financial account information, placing affected individuals at significant risk of identity theft and fraud. Merck is providing two years of free credit monitoring to those impacted.
Threat Overview
This incident is a classic example of a supply chain attack, where the initial compromise occurred at a third-party vendor rather than the primary target. Graebel Companies, which likely provides relocation or other employee services to Merck, was the source of the breach. While details of the attack on Graebel are not public, the outcome was the unauthorized access and exfiltration of data belonging to Merck employees.
The timeline indicates a delay between the initial notification from the vendor (September 22) and the public disclosure (November 17), likely due to the time required for investigation and identification of the specific individuals and data types involved. The exposure of both PII and financial account information makes this a particularly severe breach for the individuals affected.
Technical Analysis
The attack focuses on exploiting a trusted third-party relationship.
- Initial Access (
T1199 - Trusted Relationship): The attackers compromised the network of Graebel Companies, a trusted vendor of Merck. By breaching the supplier, they gained access to the data that Merck had entrusted to them. - Collection (
T1213 - Data from Information Repositories): Once inside Graebel's network, the attackers located and accessed databases or file stores containing the sensitive data of Merck employees. - Exfiltration (
T1567 - Exfiltration Over Web Service): The threat actors then exfiltrated the stolen data to their own servers. The specific method is unknown but typically involves transferring data over encrypted channels like HTTPS.
The core of this incident from Merck's perspective is not a technical failure of their own systems, but a failure in third-party risk management.
Impact Assessment
The primary impact is on the current and former Merck employees whose data was exposed. The combination of Social Security numbers and financial account information creates a high risk of identity theft, financial fraud, and highly targeted phishing attacks. For Merck, the incident causes reputational damage and incurs costs related to incident response, legal fees, regulatory fines, and providing identity theft protection services. It highlights the significant challenge large corporations face in securing their data when it is handled by a sprawling network of third-party vendors. This breach will likely trigger a review of Merck's vendor security assessment and data sharing policies.
Cyber Observables for Detection
Since the breach occurred at a third party, detection observables for Merck are limited. However, organizations can monitor for the fallout.
| Type | Value | Description |
|---|---|---|
| Email Address | *@merck.com |
Monitor for employee email addresses appearing in credential dumps or being used in targeted phishing campaigns following the breach. |
| User Account Pattern | Merck employees | Implement heightened monitoring on employee accounts for anomalous login attempts or password reset requests. |
| Log Source | Identity Provider Logs |
Scrutinize logs for an uptick in failed logins or successful logins from unusual locations for the accounts of affected employees. |
Detection & Response
- Monitor for Credential Abuse: Following a breach of this nature, Merck's security team should be on high alert for attacks targeting their employees. This involves enhanced monitoring of corporate accounts for signs of credential stuffing or password spraying.
- Phishing Awareness: Launch an internal communications campaign to warn all employees about the breach and the increased likelihood of receiving targeted phishing emails. Remind them to be vigilant about any requests for personal information or credentials.
- Incident Coordination: Maintain close communication with the breached vendor (Graebel) to obtain all available IOCs and details about the attack. This information can be used to hunt for any related activity within Merck's own environment.
- User Support: Establish a clear channel for affected employees to report suspicious activity and receive support, as mandated by the offering of credit monitoring services.
Mitigation
- Third-Party Risk Management (TPRM): This is the most critical mitigation. Organizations must have a robust TPRM program that includes comprehensive security assessments of all vendors before entrusting them with sensitive data. This includes reviewing their security policies, penetration test results, and compliance certifications.
- Data Minimization: Only share the absolute minimum amount of data required for a vendor to perform their function. Regularly review and audit the data held by third parties and revoke access to data that is no longer needed.
- Contractual Obligations: Ensure that vendor contracts include strong cybersecurity clauses, requiring them to maintain specific security standards, report incidents within a defined timeframe, and carry cybersecurity insurance.
- Employee Training: While not a direct technical control for this incident, training employees to spot and report phishing attempts is crucial, as they are now at higher risk of being targeted using their stolen information.
Timeline of Events
MITRE ATT&CK Mitigations
Vulnerability Scanning
This should be interpreted as part of a larger Third-Party Risk Management (TPRM) program, where vendors are required to provide evidence of regular vulnerability scanning and remediation.
Account Use Policies
Enforce strong password policies and be prepared for credential abuse attempts against employee accounts following a breach of PII.
User Training
Train employees to recognize and report sophisticated phishing attempts that may use their stolen personal information for context.
D3FEND Defensive Countermeasures
The root cause of the Merck data breach is a failure in managing third-party risk. To prevent future incidents, Merck and other organizations must implement a stringent Vendor Risk Assessment program. Before any data is shared, potential vendors like Graebel Companies must undergo a thorough security evaluation. This should include reviewing their SOC 2 Type II reports, penetration testing results, and data handling policies. Contracts must contain explicit security requirements, data breach notification SLAs (e.g., notification within 72 hours), and right-to-audit clauses. For critical vendors, continuous monitoring using security ratings services can provide ongoing visibility into their security posture. This proactive approach ensures that vendors meet the organization's security standards before they become a weak link in the supply chain.
Following the breach of employee PII, Merck's security operations team must assume that employee credentials will be targeted. Implementing enhanced Domain Account Monitoring is a critical reactive measure. This involves using a SIEM and UEBA tools to closely watch all authentication events for Merck's domain. Security teams should lower the threshold for alerts related to impossible travel (e.g., logins from different continents in a short time), credential stuffing (high volume of failed logins across many accounts), and password spraying (many accounts being tested with a few common passwords). Monitoring for successful logins from new or anonymized IP addresses (like Tor or VPNs) for employee accounts is also crucial. This heightened state of alert helps detect when stolen PII is being weaponized against the corporate environment.
A key strategic defense is Data Minimization. Organizations should critically review the data they share with every third-party vendor. In the case of Merck and Graebel, the question must be asked: did Graebel need access to employee Social Security numbers and financial account information to perform its function? If not, that data should never have been shared. Legal and data governance teams should work with procurement to establish policies that enforce the principle of least privilege for data. Only the absolute minimum data necessary for the service should be transferred. Regular data audits should be conducted to ensure that vendors securely delete data that is no longer required. This reduces the 'blast radius' of a vendor compromise, as the attackers can only steal the data that is present.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats