LNER has confirmed that a cyber incident at one of its communications suppliers compromised customer data — and it’s now thought the supplier may be linked to the recent Dentsu/Merkle data breach.
In September, train operator LNER was notified of a security incident involving a third-party supplier that manages its customer communications database. A spokesperson said an unauthorised third party had gained access to the supplier’s systems, potentially exposing customer contact information.
The company immediately reported the breach to the relevant authorities, paused certain customer communications, and began contacting those affected.
Although no bank, payment card, or password information is believed to have been compromised, LNER has urged customers to be alert to phishing or scam emails.
New reports suggest this supplier may have been part of Merkle, the marketing and data division of Dentsu UK Limited, which recently disclosed a data security breach. LNER has not publicly confirmed the link.
Even without financial details, exposed contact data can be used in phishing scams, where criminals pose as legitimate companies to trick customers into revealing more sensitive information.
If you’ve received an email from LNER confirming your details were affected, you should:
- Be cautious of emails claiming to be from LNER or related services
- Avoid clicking links or downloading attachments unless you’re certain they’re legitimae
- Change passwords regularly, particularly if you use the same one across multiple sites
- Report suspicious emails to the National Cyber Security Centre’s reporting service at [email protected].
With Dentsu’s investigation still ongoing, questions remain over which clients and sectors have been affected by the Merkle breach. Join the Claim will continue to monitor both cases and provide updates as more details emerge.
If it’s confirmed that Dentsu or its suppliers failed to adequately safeguard personal data, LNER customers could be entitled to compensation under UK data protection law.
This is because, under the UK GDPR, companies that share customer data with third-party providers remain legally responsible for how that data is handled. This includes ensuring those suppliers have appropriate security and compliance measures in place. If they don’t, the organisation that collected the data — in this case, LNER — could still be held accountable.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
