Merkle Data Breach Exposes Names and Social Security Numbers

Other Commercial data breach illustration
Breach Discovery: 31st August 2025Breach Notification: 27th January 2026

What Happened in the Merkle Data Breach?

Merkle recently confirmed a data breach that exposed sensitive client information. According to the company’s breach notification, unauthorized access to its network occurred on or about Aug. 31, 2025. Merkle detected unusual activity on its servers, which prompted an immediate internal response.

As a result of this discovery, Merkle activated its incident response protocols right away. The company worked to contain the suspicious activity before it could spread further. In addition, Merkle brought in a cybersecurity firm with experience handling similar incidents to help investigate what had happened.

The investigation ultimately revealed that an unauthorized actor had accessed Merkle’s computer servers and acquired certain files. Because the scope of the incident required careful review, Merkle did not immediately know which data had been affected. After a thorough review of the compromised files, the company determined on Jan. 27, 2026, that some files contained names and Social Security numbers belonging to its clients.

Merkle has stated that it has no evidence at this time that other types of information were involved. The company also has not reported evidence that additional individuals beyond those already identified were affected. This suggests the investigation may still be ongoing in some respects, even though the core findings have been disclosed.

Who was affected?

The Merkle data breach affects clients whose personal information was stored on the compromised servers. Based on the notifications filed, at least one Massachusetts resident and one New Hampshire resident have been confirmed as affected. However, the total number of affected individuals nationwide has not been publicly disclosed.

Because Merkle operates as a marketing and data services provider, its client base likely spans multiple states. Therefore, additional residents from other states may also be affected, even though only two state disclosures are currently available. It remains unclear whether the affected individuals are Merkle’s direct clients, or clients of Merkle’s business customers whose data Merkle processed.

At this stage, there is no indication that minors were specifically targeted or included among the affected population. Still, anyone whose name and Social Security number were stored in Merkle’s systems during the relevant time period could potentially be affected. Individuals who receive a notification letter from Merkle should take it seriously, since it confirms their information was involved.

What Information Was Potentially Exposed?

The investigation into this breach identified a limited but sensitive set of data categories. Specifically, Merkle confirmed that certain files contained the following types of personal information:

  • Full names
  • Social Security numbers

Although this list is shorter than what appears in many other breaches, the combination of a name and a Social Security number is particularly dangerous. This is because these two data points alone are often enough for a criminal to open new credit accounts or file fraudulent tax returns in someone else’s name.

As a result, affected individuals face a real risk of identity theft. Fraudsters could use stolen Social Security numbers to apply for loans, open credit cards, or even gain unauthorized access to government benefits. Because Social Security numbers rarely change, this type of exposure can create risks that last for years, not just months.

In addition to identity theft, affected individuals may also face risks related to synthetic identity fraud. This occurs when criminals combine a real Social Security number with fake personal details to create an entirely new identity. Consequently, victims may not notice the misuse right away, since the fraudulent activity might not appear directly on their own credit file at first.

What is the company doing?

After discovering the breach, Merkle responded by engaging a cybersecurity firm to help contain the incident and investigate its scope. The company also conducted a detailed review of the compromised files to determine exactly what information had been exposed. This process ultimately led to the Jan. 27, 2026 determination regarding the exposed data types.

In response to the breach, Merkle is now offering affected individuals a complimentary one-year membership to Experian IdentityWorks. This service includes credit monitoring, identity restoration assistance, and up to $1 million in identity theft insurance. Merkle has also provided enrollment instructions and a dedicated phone number for questions.

Beyond individual notifications, Merkle has taken steps to strengthen its existing security measures. The goal is to help prevent similar incidents from happening again in the future. Furthermore, Merkle’s notification letters include guidance on placing fraud alerts or security freezes, along with contact information for the Federal Trade Commission and state attorneys general.

What Should Affected Individuals Do?

Monitor Your Credit Reports Closely

Affected individuals should begin monitoring their credit reports as soon as possible. Because Social Security numbers were exposed, new fraudulent accounts could appear on a credit file without warning. Checking your reports regularly makes it much easier to catch this activity early.

You can request free credit reports from each of the three major credit bureaus. In addition, enrolling in the complimentary Experian IdentityWorks membership offered by Merkle provides ongoing monitoring support. If you notice any unfamiliar accounts or inquiries, report them to the credit bureau immediately.

Consider a Fraud Alert or Credit Freeze

Given that Social Security numbers were involved in this breach, placing a fraud alert or credit freeze is a smart precaution. A fraud alert requires creditors to verify your identity before opening new accounts in your name. A credit freeze goes even further by restricting access to your credit file entirely.

To place either protection, you will need to contact each of the three major credit bureaus directly. This process is free and can typically be completed online or by phone. Because a freeze can be lifted temporarily when needed, it does not have to interfere with legitimate credit applications.

Stay Alert for Phishing Attempts

After a data breach, scammers often try to take advantage of the situation through phishing emails, texts, or phone calls. These messages may impersonate Merkle, a credit bureau, or even a government agency. Therefore, affected individuals should be cautious about clicking links or sharing information in response to unsolicited messages.

Instead of responding directly, verify any suspicious communication by contacting the organization through its official website or phone number. Never provide your Social Security number, account passwords, or financial details unless you are certain of who you are speaking with. This simple habit can prevent a phishing attempt from turning into a much bigger problem.

Enroll in the Identity Protection Services Offered

Merkle has made a complimentary one-year Experian IdentityWorks membership available to affected individuals. This service includes credit monitoring, identity restoration support, and identity theft insurance coverage up to $1 million. Taking advantage of this offer costs nothing and provides an added layer of protection.

To enroll, follow the specific instructions included in your notification letter from Merkle. If you have questions about the enrollment process, you can call the dedicated phone number Merkle has provided. Acting promptly ensures you receive the full benefit of the monitoring period.

Consult a Data Breach Attorney

If your name and Social Security number were exposed in this incident, it may be worth speaking with a data breach attorney. An attorney can help you understand whether you qualify for compensation related to this breach. Many offer free consultations, so there is little risk in asking questions.

Because state disclosures already confirm at least two affected individuals, more residents from other states may come forward as well. As a result, legal options such as a class action could develop over time. Consulting with an attorney early can help you stay informed about your rights as the situation unfolds.



More Information

Official Notice from Merkle

Official Notice from Mass

Official Data Breach Notification Letter (PDF)

Related Data Breaches