analyst @ nohacky :~/briefings $
cat / briefings / marquis-ransomware-breach-672000.html
analyst@nohacky:~/briefings/marquis-ransomware-breach-672000.html
reading mode 10 min read
category supply chain
published March 19, 2026
read_time 10 min
affected 672,075 individuals
incident_date August 14, 2025

Marquis Ransomware Attack Exposes 672,000 Banking Customers — And the Firewall That Should Have Stopped It

A fintech company trusted by over 700 U.S. banks and credit unions was hit by a ransomware gang in August 2025. The stolen data — names, Social Security numbers, bank account details — belonged to customers of financial institutions across the country. The attack, confirmed this week as affecting at least 672,075 people, traces back to a critical failure inside the cloud backup service of the company's own firewall provider, SonicWall.

When a ransomware group breached Marquis Software Solutions on August 14, 2025, it was not just one company that was compromised. It was the banking data of hundreds of thousands of ordinary Americans — people who had never heard of Marquis, who had no contractual relationship with the company, and who had no way of knowing that their personal and financial information was sitting inside its servers. That is the defining feature of a third-party vendor breach: the people who bear the greatest harm are often the furthest removed from the original failure.

Marquis, headquartered in Plano, Texas, provides digital marketing, data analytics, compliance reporting, and customer relationship management services to more than 700 banks, credit unions, and mortgage lenders across the United States. The company sits inside a data supply chain that connects it to millions of consumers who bank with its clients. When that chain broke, it broke loudly — and widely.

The full scope of the breach was confirmed this week in a listing filed with Maine's attorney general's office: 672,075 individuals had their information stolen. More than half of those affected live in Texas, according to a separate notice filed with the Texas attorney general. The disclosure, as reported by TechCrunch on March 18, 2026, represents the most complete public accounting yet of the incident's reach.

What Was Stolen — and Why It Matters

The range of data taken in the Marquis breach is what elevates this incident above a routine cyberattack. According to breach notifications filed with multiple state attorney general offices, the attackers exfiltrated the following categories of information from Marquis's systems:

  • Full names
  • Dates of birth
  • Mailing addresses
  • Phone numbers
  • Social Security numbers
  • Taxpayer Identification Numbers (TINs)
  • Bank account numbers
  • Debit and credit card numbers

The combination is significant. Financial account numbers can be replaced; cards can be cancelled and reissued. But Social Security numbers cannot be changed. They are permanent identifiers, and once exposed, they remain a resource for criminals indefinitely. Combined with dates of birth, addresses, and bank account details, a full identity profile is available to anyone who obtains it — whether directly from the ransomware group, through dark web resale, or through future data broker aggregation.

critical

Social Security numbers and Taxpayer Identification Numbers stolen in this breach cannot be reissued. Affected individuals face long-term identity fraud risk even after financial accounts are secured. Synthetic identity creation and new-account abuse remain viable threats for years following this type of exposure.

In its data breach notification letters sent to affected individuals, Marquis stated: "The incident was limited to Marquis's systems and did not affect our customer's systems." That distinction may offer some comfort to the financial institutions that use Marquis's services — their own networks were not penetrated. But for the banking customers whose data Marquis was holding, the containment boundary is irrelevant. Their information was taken regardless of where the perimeter held.

How It Happened: The SonicWall Connection

For months after the August 2025 attack, Marquis did not know exactly how the attackers got in. Its firewall had been up to date. Multi-factor authentication (MFA) was enabled. Additional security controls were in place. By the company's own account, it had done what was expected of an organization handling sensitive financial data at scale. And yet, ransomware was deployed and data was stolen.

The answer eventually emerged from the wreckage of a separate, earlier breach — this one at SonicWall, Marquis's firewall provider.

According to Marquis's 35-page legal complaint filed February 23, 2026, in the U.S. District Court for the Eastern District of Texas (Case No. 4:26-cv-00195), SonicWall introduced a critical vulnerability in February 2025 through a change to one of its application programming interfaces (APIs). That code change allowed unauthorized parties to access firewall configuration backup files stored in SonicWall's cloud backup service — the MySonicWall platform — without proper authentication. The mechanism for exploitation was particularly damning: device serial numbers, which Marquis's complaint describes as predictable and algorithmically generatable, served as the access key to retrieve configuration backups.

SonicWall had reason to know that using predictable device serial numbers created a foreseeable vulnerability that threat actors could — and did — easily exploit. — Marquis Software Solutions, complaint filed February 23, 2026

In September 2025, SonicWall publicly disclosed that its MySonicWall cloud backup service had been breached. At the time, SonicWall characterized the impact as limited, stating that fewer than five percent of its customers using the cloud backup service had their firewall configuration files exfiltrated. By October 8, 2025, that figure was revised — dramatically. SonicWall confirmed that every customer who had backed up their firewall configuration to MySonicWall had their files stolen.

Marquis was among them.

The configuration backup files SonicWall stored were not simply technical settings documents. They contained firewall rules, VPN configurations, remote access settings, AES-256 encrypted credentials — and, critically, MFA scratch codes. These emergency bypass codes are designed to allow administrators to access a firewall even when standard authentication channels are unavailable. They are a legitimate feature of any robust access recovery system. But they are only valuable if stored securely. SonicWall, according to Marquis's complaint, stored them unencrypted inside the configuration backup files.

SonicWall's failure to encrypt the scratch codes is an egregious departure from the normal standard of care expected of a company in SonicWall's position. — Marquis Software Solutions, complaint filed February 23, 2026

With MFA scratch codes and credentials in hand, the attackers were able to bypass Marquis's MFA protections entirely — not by breaking the authentication system, but by using the recovery keys that had been left in plain text inside a compromised cloud backup. Marquis stated it opened a support ticket with SonicWall on the day it discovered the ransomware attack. It received no meaningful assistance or critical security information in response. Months later, SonicWall confirmed that Marquis's backup files had been among those downloaded during the earlier cloud compromise.

warning

MFA is not a failsafe if recovery paths are unprotected. When scratch codes and emergency bypass credentials are stored in vendor-managed cloud backups without encryption, they become an alternate login route for any attacker who gains access to that backup infrastructure. Strong identity security requires that recovery mechanisms receive the same level of protection as primary authentication controls.

Mandiant, the incident response firm, investigated the SonicWall cloud breach and found evidence linking it to a state-sponsored threat actor. The identity of the ransomware group responsible for the Marquis attack has not been publicly confirmed.

Cascading Impact: 74 Banks, 36 Lawsuits, and a Lawsuit Against the Vendor

The operational fallout from the August 2025 attack extended well beyond Marquis itself. According to reporting by BleepingComputer, the ransomware attack disrupted operations at 74 banks across the United States — all of them Marquis clients whose services were impaired when their fintech provider's systems went down. Banks including Artisans' Bank of Wilmington, Delaware, and VeraBank of Henderson, Texas, subsequently notified their own customers that personal data had been stolen due to the breach at their supplier.

Marquis began issuing breach notifications to affected individuals in December 2025, several months after the attack. The company has acknowledged that it is defending more than 36 consumer class action lawsuits stemming from the incident. It is also facing at least one trade secrets claim. A trade organization revoked its sponsorship of Marquis following the breach, and the company has reported that clients have terminated contracts in its aftermath.

In its legal filings, Marquis described the financial consequences in stark terms: costs tied to the ransom demand, forensic investigation, breach notifications, remediation, legal defense, and lost revenue. The company noted substantial diminution in its enterprise value as a result of SonicWall's alleged conduct.

The SonicWall Breach has created astounding financial repercussions for Marquis. These costs have included, but are not limited to, legal costs and costs associated with the ransom demand, the forensic investigation, breach notifications and remediations. — Marquis Software Solutions, complaint filed February 23, 2026

On February 23, 2026, Marquis filed suit against SonicWall in the Eastern District of Texas, seeking monetary damages, indemnification, contribution toward the consumer class action judgments, attorneys' fees, and equitable relief. The complaint asserts causes of action including negligence, gross negligence, unjust enrichment, and misrepresentation. Marquis CEO Satin Mirchandani stated that SonicWall allegedly failed to secure its backup service, causing the company "significant reputational, operational, and financial harm."

SonicWall has denied the allegations. In a statement to Information Security Media Group, a SonicWall spokesperson said: "We are aware of a claim from Marquis alleging a connection between a SonicWall security incident and subsequent ransomware activity affecting their environment. At this time, we have not identified any technical evidence establishing a link between these events. Unfortunately, the customer filed a lawsuit without providing documentation to substantiate its allegations in advance. We are reviewing these claims now and are prepared to vigorously defend any unsubstantiated claims."

SonicWall has also previously stated: "We have no new evidence to establish a connection between the SonicWall security incident reported in September 2025 and ongoing global ransomware attacks on firewalls and other edge devices."

Legal analysts following the case note that it is unlikely to proceed to trial. As attorney Joseph Lazzarotti of JacksonLewis observed in reporting by Dark Reading, the contract between the parties may require arbitration or mediation, and the case is structured similarly to others that typically conclude in undisclosed settlements. However, the lawsuit's detailed technical allegations — and the public record it creates — may itself influence how vendors in the cybersecurity supply chain are held accountable going forward.

The Structural Problem: Vendor Risk in Financial Services

The Marquis breach did not happen because a bank failed to protect its customers. It happened because a vendor that banks trusted — and that operated largely invisible to those banks' customers — had a vulnerability in its own vendor's infrastructure. That chain of dependencies is not unusual. It is, in fact, the normal architecture of modern financial services technology.

Marquis serves more than 700 financial institutions. Each of those institutions has its own set of technology vendors. When one node in that graph is compromised, the impact spreads laterally across all connected organizations and their customers. The Marquis breach is a textbook example of what cybersecurity professionals refer to as a third-party or supply chain attack — not a direct breach of a bank, but a breach of a company that sits upstream from many banks simultaneously.

note

Firewall configuration backup files stored in vendor-managed cloud environments represent a high-value aggregation point. A single successful attack on that cloud environment can cascade to every customer who uses the backup service. Organizations relying on cloud-hosted configuration backups should verify that those backups are encrypted at rest, that recovery credentials are stored separately from configuration data, and that the vendor's access controls are audited independently.

The SBS CyberSecurity analysis of the Marquis incident framed the issue precisely: "Even trusted service providers can be single points of failure." For financial institutions that rely on fintech vendors for core operational functions — marketing, compliance, data analytics — the question is not whether to use third-party providers, but how rigorously to vet and monitor them.

The Marquis case also raises questions about the contractual frameworks that govern these relationships. Attorney Lazzarotti noted that it is common for companies to engage vendors without conducting appropriate due diligence on their cybersecurity posture, and equally common for service level agreements to fail to account adequately for scenarios in which the vendor is the source of the breach. If an organization is as careless in hiring vendors as it claims vendors are in protecting it, the legal and reputational exposure runs in both directions.

SonicWall's track record on vulnerability disclosure adds another dimension. The Cybersecurity and Infrastructure Security Agency (CISA) has added multiple SonicWall vulnerabilities to its Known Exploited Vulnerabilities catalog over the past several years. In early 2025, SecurityWeek reported on an actively exploited zero-day in SonicWall's Secure Mobile Access products (CVE-2025-23006). The pattern of recurring, exploitable flaws in SonicWall's product and cloud infrastructure is relevant context for any organization evaluating its ongoing relationship with the vendor.

What Affected Individuals Should Do Now

Marquis has confirmed it is issuing breach notifications on behalf of affected business customers whose data it processed. If you received a notification letter related to the Marquis breach — or if you bank with an institution that uses Marquis's services — there are concrete steps you can take to reduce your exposure.

First, place a credit freeze with each of the three major credit bureaus: Equifax, Experian, and TransUnion. A credit freeze is free under federal law and prevents new credit accounts from being opened in your name without your explicit authorization. It is the single most effective tool for preventing new-account fraud following a Social Security number exposure.

Second, monitor your existing financial accounts closely. While Marquis stated that account security codes were not among the stolen data, account numbers and card numbers were taken. Contact your financial institution directly if you have any concerns about account activity.

Third, consider placing a fraud alert with one of the three credit bureaus (it automatically applies to all three). A fraud alert requires creditors to take additional steps to verify your identity before opening new accounts.

Fourth, be alert to phishing attempts. Attackers who hold this type of data — with names, addresses, phone numbers, and partial financial details — are well-positioned to craft highly targeted phishing emails and phone calls that appear legitimate. Do not click links in unsolicited emails claiming to be from your bank, and do not provide additional information to callers who claim to be verifying your identity in connection with this breach.

warning

Criminals often wait months or years after a breach to exploit stolen data, timing their attacks to coincide with reduced consumer vigilance. A credit freeze placed now remains effective indefinitely and can be lifted temporarily when you need to apply for credit. There is no downside to taking this step immediately.

Key Takeaways

  1. Vendor cloud backups are attack surface: Firewall configuration files stored in vendor-managed cloud environments — containing credentials, VPN settings, and MFA recovery codes — represent a concentrated, high-value target. Organizations should audit what their security vendors store on their behalf, where, and with what encryption controls.
  2. MFA can be bypassed through recovery paths: The Marquis breach demonstrates that enabling MFA is insufficient if the recovery mechanisms are stored without encryption by a third party. Scratch codes and emergency access tokens must receive the same security treatment as primary credentials.
  3. Breach disclosure timelines matter: SonicWall's initial characterization of the breach as affecting fewer than five percent of customers — later revised to all customers — delayed the response of affected organizations. Accurate and timely vendor disclosure is not just a compliance requirement; it is a prerequisite for downstream incident response.
  4. Supply chain exposure multiplies consumer harm: A breach at one vendor serving 700 financial institutions is not equivalent to 700 separate breaches — it is worse. The aggregation of data across many institutions in a single vendor environment creates a concentration of risk that no individual bank would carry alone.
  5. Legal accountability is being tested: The Marquis v. SonicWall lawsuit (Case No. 4:26-cv-00195, Eastern District of Texas) represents a growing trend of organizations seeking to shift breach costs upstream to vendors whose security failures enabled the attack. The outcome of this litigation, and the 36+ consumer class actions Marquis is defending, will shape how vendor contracts and SLAs are written in the financial sector going forward.

The Marquis breach is not the first supply chain attack to expose banking customers at scale, and it will not be the last. What distinguishes it is the clarity of the failure chain: a code change at a security vendor, unencrypted recovery credentials stored in a cloud backup, a breach that went undetected for months, and a downstream ransomware attack that touched more than 670,000 people who had no visibility into any of it. For cybersecurity professionals, regulators, and anyone responsible for vendor risk management in financial services, that chain of events is worth understanding in full — because the same architecture that made this possible is in place at organizations across the country right now.

Sources: TechCrunch (March 18, 2026)BleepingComputerInformation Security Media GroupTechCrunch (February 24, 2026)Dark ReadingSBS CyberSecurityMaine Attorney General breach filing

— end of briefing