Marquis Ransomware Breach: 672K People Exposed as Attack Disrupts 80 US Banks

Marquis Software Ransomware Breach Exposes 672,000 Customers Across 80 Financial Institutions

A ransomware attack against Marquis Software Solutions, a Texas-based fintech vendor serving hundreds of US banks and credit unions, exposed the personal and financial data of over 672,000 individuals and disrupted operations at 80 financial institutions across the country. Despite the attack occurring in August 2025, affected consumers did not receive notification until nearly four months later — raising significant questions about breach notification timelines.

Incident Overview

What Happened

Initial Compromise via SonicWall VPN

On August 14, 2025, attackers exploited a critical vulnerability in Marquis's SonicWall SSL VPN appliance — security researchers link the breach to CVE-2024-40766 (CVSS 9.3, improper access control in SonicWall SSL VPN) and possibly CVE-2024-53704 (CVSS 9.8, disclosed January 2025). The attack harvested VPN usernames, passwords, and one-time passcode seeds from the unpatched device, allowing attackers to bypass MFA even after the vulnerability was patched.

Once inside, the Akira ransomware gang — a Russian-speaking cybercriminal group that has systematically exploited SonicWall appliances since mid-2024 — deployed ransomware, encrypted systems, and exfiltrated large volumes of customer data before triggering the encryption payload.

Ransom Payment

Marquis almost certainly paid the ransom. A notification email from the Chief Compliance Officer of Community 1st Credit Union (later deleted) stated that "Marquis paid a ransomware shortly after 08/14/25." As of March 2026, no stolen data has appeared on dark web leak sites — consistent with payment and data deletion by the threat actor.

Delayed Disclosure

Marquis completed its investigation in late October 2025 but did not begin notifying affected financial institutions until the October 27 – November 25 window. Individual consumer notification letters did not go out until December 2025 — nearly four months after the breach occurred. Multiple cybersecurity and legal analysts noted this timeline potentially violated federal and state breach notification requirements.

Data Exposed

The following categories of sensitive information were stolen for each affected individual:

• Full name
• Physical address
• Phone number
• Date of birth
• Social Security Number (SSN)
• Taxpayer Identification Number (TIN)
• Financial account information (account numbers)
• Credit and debit card numbers (referenced in some institutional filings)

Scale of Impact

Affected Institutions (80 Total)

State-level breach notifications were filed across Maine, Iowa, Texas, Massachusetts, New Hampshire, South Carolina, and Washington.

Geographic Distribution of Victims

Third-Party Risk: The Vendor Attack Surface

The Marquis breach is a textbook example of third-party supply chain risk in financial services. Marquis provided data analytics, CRM tools, digital marketing, and compliance reporting to over 700 banks and credit unions — meaning a single vendor compromise cascaded into data exposure for institutions serving hundreds of thousands of customers.

The core vulnerability: institutions trusted Marquis with sensitive customer data but had limited visibility into the vendor's security posture. The SonicWall appliance used as the attack entry point had been patched by the broader community months earlier but remained unpatched at Marquis — a common third-party risk scenario.

Recommendations

For Financial Institutions Using Third-Party Fintech Vendors

• Mandate vendor security questionnaires that specifically require documented patch management SLAs for perimeter devices (VPNs, firewalls)
• Include breach notification timelines in vendor contracts — require notification within 72 hours of confirmed breach per GDPR-style standards
• Require evidence of MFA implementation that does not rely solely on one-time passcode seeds stored on VPN appliances
• Conduct annual penetration testing requirements for critical data processors

For Affected Consumers

• Enroll in credit monitoring — Marquis is offering 12–24 months of complimentary credit monitoring and identity theft protection via Epiq Privacy Solutions ID
• Place a credit freeze with all three major bureaus (Experian, Equifax, TransUnion) — SSNs and TINs were exposed
• Monitor financial accounts for unauthorized transactions
• Watch for phishing attempts — attackers may use stolen PII to craft targeted phishing campaigns

Key Takeaways

1. Marquis Software Solutions suffered a ransomware attack on August 14, 2025 that exposed data of 672,000+ individuals at 80 US banks and credit unions — with the toll still rising as new state filings are discovered.
2. The Akira ransomware gang (attributed) exploited an unpatched SonicWall SSL VPN vulnerability to harvest MFA seeds and bypass authentication.
3. The likely ransom payment and absence of data on leak sites suggests payment, but does not guarantee data destruction — affected individuals remain at risk.
4. The ~4-month notification delay is drawing regulatory scrutiny and class action attention, with multiple law firms investigating on behalf of affected consumers.
5. In February 2026, Marquis filed a lawsuit against SonicWall alleging gross negligence in failing to adequately patch or warn customers about the exploited vulnerability.
6. The breach underscores the cascading blast radius of third-party fintech vendor compromises — one vendor breach affected 80 institutions and hundreds of thousands of their end customers.

Sources

• Marquis: Ransomware gang stole data of 672K people in cyberattack — BleepingComputer
• Marquis data breach impacts over 74 US banks, credit unions — BleepingComputer
• Fintech firm Marquis alerts dozens of US banks and credit unions of a data breach — TechCrunch
• Marquis breach toll rises to 80 banks, 824,000 consumers — American Banker
• Two more banks notifying thousands of victims about Marquis Software ransomware attack — The Record