Marquis links its ransomware breach to stolen SonicWall cloud firewall backups
Texas-based financial services provider Marquis Software Solutions told customers that its August 2025 ransomware incident—impacting Marquis systems used by dozens of U.S. banks and credit unions—was enabled by a prior compromise of SonicWall’s cloud services. Marquis said its third-party investigation concluded attackers obtained sensitive firewall information from SonicWall and used it to circumvent Marquis’ firewall, leading to theft of customers’ personal and financial data.
Marquis stated it had stored a backup of its firewall configuration in SonicWall’s cloud, and that the stolen configuration/backup data provided the credentials or details needed to facilitate the intrusion. SonicWall had publicly disclosed unauthorized access to its MySonicWall online customer portal / cloud backup service and initially reported that fewer than 5% of customers were affected, later updating that the exposure was broader (including firewall configuration data and related credentials/tokens). Marquis said it is evaluating options with its firewall provider, including seeking recoupment/compensation for incident-response costs incurred by Marquis and its customers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Marquis begins breach notifications as SonicWall disputes linkage
On January 29, 2026, reports said Marquis had started notifying hundreds of thousands of affected individuals and was considering seeking recovery of incident-response costs from SonicWall. SonicWall disputed that any connection between its September 2025 breach and Marquis' ransomware incident had been established.
Marquis tells customers SonicWall breach enabled its August ransomware incident
By January 2026, Marquis informed customers that a third-party investigation concluded attackers likely used firewall configuration data stolen from SonicWall's cloud backup service to bypass Marquis' firewall. Marquis said the investigation ruled out an unpatched SonicWall flaw as the likely intrusion path.
SonicWall expands scope of cloud backup breach to all backup-service customers
In October 2025, SonicWall updated its earlier disclosure and said all customers using its cloud backup service were affected. The company clarified that firewall configuration data and credentials had been accessed.
Huntress observes campaign compromising 100+ SonicWall SSLVPN accounts
Around the same period, Huntress reported a campaign that compromised more than 100 SonicWall SSLVPN accounts using stolen valid credentials. Huntress said it found no evidence tying those compromises to the cloud-backup breach.
Akira-attributed attacks hit SonicWall VPN accounts
In late September 2025, separate attacks attributed to the Akira ransomware gang targeted MFA-protected SonicWall VPN accounts. SonicWall said these attacks were unrelated to the MySonicWall cloud backup breach.
SonicWall links portal breach to state-sponsored hackers
Following investigation of the MySonicWall incident, SonicWall said a Mandiant investigation found evidence connecting the portal breach to state-sponsored hackers. SonicWall also warned that stolen credentials or tokens could make it significantly easier to compromise affected customers' firewalls.
SonicWall discloses MySonicWall cloud backup breach
In September 2025, SonicWall disclosed unauthorized access to its MySonicWall customer portal affecting users of its cloud backup service. The company initially said about 5% of cloud-backup users were impacted.
Marquis suffers ransomware attack affecting banks and credit unions
In August 2025, Marquis Software Solutions experienced a ransomware incident that impacted dozens of U.S. banks and credit unions. Attackers stole customer personal and financial data, including Social Security numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Marquis Software Solutions breach pinned on SonicWall hack | SC Media
scworld.com
Open sourceFintech firm Marquis blames hack at firewall provider SonicWall for its data breach | TechCrunch
techcrunch.com
Open sourceMarquis blames ransomware breach on SonicWall cloud backup hack
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marquis Lawsuit Alleges SonicWall Firewall Backup Breach Enabled Ransomware Intrusion
Fintech firm **Marquis** filed a lawsuit in the U.S. District Court for the Eastern District of Texas seeking a jury trial, alleging that security failures in **SonicWall’s firewall cloud backup service** enabled threat actors to later compromise Marquis and deploy ransomware. The complaint claims a **2025 breach at SonicWall** exposed sensitive customer firewall configuration backup files, giving attackers detailed insight into how Marquis and other customers configured their perimeter defenses and providing a “blueprint” to bypass them. Marquis alleges the stolen backup data included emergency administrative access credentials ("**scratch codes**"), which were used to gain access to Marquis’ internal network, disrupt operations with ransomware, and exfiltrate sensitive data. Marquis stated the incident caused significant operational, reputational, and financial harm, and reported that attackers accessed **personally identifiable information** tied to customers of some of Marquis’ financial-institution clients, including data elements such as names, dates of birth, postal addresses, and financial information.
Mar 21, 2026
Marquis Discloses Ransomware Breach Affecting 672,000 Banking Customers
**Marquis**, a Texas-based fintech and services provider to hundreds of U.S. banks, disclosed that an **August 2025 ransomware attack** exposed the personal and financial data of **672,075 individuals**. Stolen information included names, dates of birth, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and bank, debit, and credit card details. The company said the intrusion disrupted operations at **74 banks**, while maintaining that the incident was limited to Marquis systems and did not directly impact customer bank environments. Reporting indicates the attackers gained access after compromising a **SonicWall firewall**, and Marquis has alleged in litigation that weaknesses tied to SonicWall allowed threat actors to obtain firewall configuration backup files and use them to breach its network, steal data, and deploy ransomware. The newly filed breach notices provide the clearest accounting so far of the scale of the incident, with a large share of affected individuals located in Texas, and connect the attack to broader concerns around credential and token exposure following SonicWall's earlier security disclosure.
Mar 20, 2026
Ransomware Breach at Marquis Software Solutions Exposes Bank Customer Data
Marquis Software Solutions, a provider of marketing and compliance software to over 700 banks and credit unions, experienced a significant data breach after ransomware attackers exploited a vulnerability in its SonicWall firewall. The breach, detected on August 14, allowed attackers to access files containing sensitive information stored by Marquis on behalf of its financial institution clients, potentially exposing the personal data of at least 250,000 individuals. The compromised data may include names, addresses, phone numbers, dates of birth, Social Security numbers, tax identification numbers, and financial account information. Marquis Software stated that the incident was limited to its own environment, but the breach has affected multiple financial institutions whose customer data was managed by the vendor. The company is working with digital forensic investigators to assess the full scope of the breach and has notified affected parties accordingly.
Mar 21, 2026