Ransomware Breach at Marquis Software Solutions Exposes Bank Customer Data
Marquis Software Solutions, a provider of marketing and compliance software to over 700 banks and credit unions, experienced a significant data breach after ransomware attackers exploited a vulnerability in its SonicWall firewall. The breach, detected on August 14, allowed attackers to access files containing sensitive information stored by Marquis on behalf of its financial institution clients, potentially exposing the personal data of at least 250,000 individuals.
The compromised data may include names, addresses, phone numbers, dates of birth, Social Security numbers, tax identification numbers, and financial account information. Marquis Software stated that the incident was limited to its own environment, but the breach has affected multiple financial institutions whose customer data was managed by the vendor. The company is working with digital forensic investigators to assess the full scope of the breach and has notified affected parties accordingly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Marquis discloses post-breach security hardening measures
Following the breach, Marquis said it patched firewalls, enforced multifactor authentication, restricted VPN access, and applied additional controls such as geo-IP filtering. These measures were disclosed publicly as part of the company's response to reduce future risk.
Marquis begins notifying affected individuals and offers credit monitoring
By 2025-12-04, Marquis had begun notifying affected consumers directly about the exposure of personal and financial information. The company said it had no evidence of misuse at that time and offered free credit monitoring and identity theft protection.
State breach filings reveal growing customer impact across institutions
By early December 2025, breach notices filed with multiple state attorneys general showed the incident had spread across at least 74 banks and credit unions. Reported victim counts rose from at least 250,000 people to more than 400,000, then 721,000 and over 780,000 as additional institutions disclosed impacts.
Marquis starts notifying affected financial institutions
Between late October and late November 2025, Marquis notified affected banks and credit unions that customer data had been exposed in the breach. Early disclosures indicated the incident affected dozens of U.S. financial institutions served by the vendor.
Marquis detects the ransomware attack and begins investigation
Marquis identified the attack on the same day it occurred and launched an investigation into the compromise. The company also engaged cybersecurity experts and notified federal authorities, according to later disclosures.
Attackers exploit Marquis SonicWall firewall and breach its network
On 2025-08-14, attackers exploited a vulnerability in Marquis Software Solutions' SonicWall firewall and gained unauthorized access to the company's network. The intrusion led to a ransomware incident and theft of files from Marquis systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Fintech firm Marquis notifies affected business after ransomware breach
reuters.com
Open sourceMarquis data breach impacts over 74 US banks, credit unions
databreaches.net
Open sourceMarquis data breach impacted more than 780,000 individuals
securityaffairs.com
Open sourceThe Marquis Software Data Breach: What It Means For Banks, Credit Unions, And Their Customers
socradar.io
Open sourceMarketing and Compliance Software Vendor to Banks Breached
bankinfosecurity.com
Open sourceMarquis data breach impacts over 74 US banks, credit unions
bleepingcomputer.com
Open sourceMarketing and Compliance Software Vendor to Banks Breached
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marquis Discloses Ransomware Breach Affecting 672,000 Banking Customers
**Marquis**, a Texas-based fintech and services provider to hundreds of U.S. banks, disclosed that an **August 2025 ransomware attack** exposed the personal and financial data of **672,075 individuals**. Stolen information included names, dates of birth, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and bank, debit, and credit card details. The company said the intrusion disrupted operations at **74 banks**, while maintaining that the incident was limited to Marquis systems and did not directly impact customer bank environments. Reporting indicates the attackers gained access after compromising a **SonicWall firewall**, and Marquis has alleged in litigation that weaknesses tied to SonicWall allowed threat actors to obtain firewall configuration backup files and use them to breach its network, steal data, and deploy ransomware. The newly filed breach notices provide the clearest accounting so far of the scale of the incident, with a large share of affected individuals located in Texas, and connect the attack to broader concerns around credential and token exposure following SonicWall's earlier security disclosure.
Mar 20, 2026
Marquis links its ransomware breach to stolen SonicWall cloud firewall backups
Texas-based financial services provider **Marquis Software Solutions** told customers that its August 2025 ransomware incident—impacting Marquis systems used by dozens of U.S. banks and credit unions—was enabled by a prior compromise of **SonicWall’s** cloud services. Marquis said its third-party investigation concluded attackers obtained sensitive firewall information from SonicWall and used it to **circumvent Marquis’ firewall**, leading to theft of customers’ personal and financial data. Marquis stated it had stored a backup of its firewall configuration in SonicWall’s cloud, and that the stolen configuration/backup data provided the credentials or details needed to facilitate the intrusion. SonicWall had publicly disclosed unauthorized access to its **MySonicWall** online customer portal / cloud backup service and initially reported that fewer than **5%** of customers were affected, later updating that the exposure was broader (including firewall configuration data and related credentials/tokens). Marquis said it is evaluating options with its firewall provider, including seeking **recoupment/compensation** for incident-response costs incurred by Marquis and its customers.
Mar 21, 2026
Marquis Lawsuit Alleges SonicWall Firewall Backup Breach Enabled Ransomware Intrusion
Fintech firm **Marquis** filed a lawsuit in the U.S. District Court for the Eastern District of Texas seeking a jury trial, alleging that security failures in **SonicWall’s firewall cloud backup service** enabled threat actors to later compromise Marquis and deploy ransomware. The complaint claims a **2025 breach at SonicWall** exposed sensitive customer firewall configuration backup files, giving attackers detailed insight into how Marquis and other customers configured their perimeter defenses and providing a “blueprint” to bypass them. Marquis alleges the stolen backup data included emergency administrative access credentials ("**scratch codes**"), which were used to gain access to Marquis’ internal network, disrupt operations with ransomware, and exfiltrate sensitive data. Marquis stated the incident caused significant operational, reputational, and financial harm, and reported that attackers accessed **personally identifiable information** tied to customers of some of Marquis’ financial-institution clients, including data elements such as names, dates of birth, postal addresses, and financial information.
Mar 21, 2026