Marquis Lawsuit Alleges SonicWall Firewall Backup Breach Enabled Ransomware Intrusion
Fintech firm Marquis filed a lawsuit in the U.S. District Court for the Eastern District of Texas seeking a jury trial, alleging that security failures in SonicWall’s firewall cloud backup service enabled threat actors to later compromise Marquis and deploy ransomware. The complaint claims a 2025 breach at SonicWall exposed sensitive customer firewall configuration backup files, giving attackers detailed insight into how Marquis and other customers configured their perimeter defenses and providing a “blueprint” to bypass them.
Marquis alleges the stolen backup data included emergency administrative access credentials ("scratch codes"), which were used to gain access to Marquis’ internal network, disrupt operations with ransomware, and exfiltrate sensitive data. Marquis stated the incident caused significant operational, reputational, and financial harm, and reported that attackers accessed personally identifiable information tied to customers of some of Marquis’ financial-institution clients, including data elements such as names, dates of birth, postal addresses, and financial information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
SonicWall disputes link between its breach and Marquis attack
After the lawsuit was filed, SonicWall said it was aware of Marquis' claims but had not found technical evidence connecting the MySonicWall incident to the later ransomware attack. The company said it would defend against what it described as unsubstantiated allegations.
Marquis files lawsuit against SonicWall in Texas
On February 23, 2026, Marquis filed suit against SonicWall in the U.S. District Court for the Eastern District of Texas. The complaint alleges gross negligence, misrepresentation, and security failings in SonicWall's cloud backup service that enabled the later ransomware attack on Marquis.
Marquis links its breach to SonicWall backup theft
In January 2026, Marquis says it determined its August 2025 intrusion was not caused by an unpatched firewall vulnerability but by attackers leveraging configuration data stolen from SonicWall's cloud backup infrastructure. Reporting also says Mandiant attributed the attack to state-sponsored hackers.
Marquis begins notifying individuals affected by August breach
In December 2025, Marquis started notifying affected individuals about the August 2025 network breach. A Texas attorney general listing later indicated at least 400,000 people were affected, with the total expected to rise.
SonicWall revises breach scope to all customers
On October 8, 2025, SonicWall updated its assessment and said all customers' firewall backup files had been stolen, not just a small subset. This broader disclosure became central to Marquis' claim that SonicWall misrepresented the incident's scope.
SonicWall discloses cloud backup breach with limited impact estimate
On September 17, 2025, SonicWall publicly disclosed the MySonicWall cloud backup breach and initially said fewer than 5% of customer firewall configuration backup files were exfiltrated. Marquis later claimed this disclosure understated the true scope of the incident.
Marquis network breached in ransomware attack
On August 14, 2025, attackers allegedly used data stolen from SonicWall backups to compromise Marquis' network, bypass MFA, deploy ransomware, and steal sensitive personal and financial information. Marquis says the incident disrupted operations affecting 74 U.S. banks and exposed data tied to customers of its banking and credit-union clients.
Attackers steal SonicWall customer firewall backup files
SonicWall's MySonicWall cloud backup environment was breached in 2025, resulting in theft of customer firewall configuration backup files. Marquis later alleged the stolen backups included credentials and other data that could be used to bypass protections on downstream customer networks.
SonicWall API change allegedly introduces backup access weakness
Marquis alleges SonicWall made an API code change in February 2025 that created an authentication flaw in the MySonicWall cloud backup service. According to the complaint, attackers could download firewall configuration backups by guessing predictable device serial numbers, and the backups contained sensitive data including MFA scratch codes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Marquis v. SonicWall Lawsuit Ups the Breach Blame Game
darkreading.com
Open sourceteiss - News - Marquis Software Solutions sues SonicWall over ransomware breach impacting 74 US banks
teiss.co.uk
Open sourceMarquis Sues SonicWall Over 2025 Ransomware Attack
thecyberexpress.com
Open sourceMarquis Sues SonicWall Over 2025 Firewall Data Breach
bankinfosecurity.com
Open sourceMarquis sues SonicWall over backup breach that led to ransomware attack
bleepingcomputer.com
Open sourceMarquis Sues SonicWall Over 2025 Firewall Data Breach
govinfosecurity.com
Open sourceMarquis sues firewall provider SonicWall, alleges security failings with its firewall backup led to ransomware attack | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marquis links its ransomware breach to stolen SonicWall cloud firewall backups
Texas-based financial services provider **Marquis Software Solutions** told customers that its August 2025 ransomware incident—impacting Marquis systems used by dozens of U.S. banks and credit unions—was enabled by a prior compromise of **SonicWall’s** cloud services. Marquis said its third-party investigation concluded attackers obtained sensitive firewall information from SonicWall and used it to **circumvent Marquis’ firewall**, leading to theft of customers’ personal and financial data. Marquis stated it had stored a backup of its firewall configuration in SonicWall’s cloud, and that the stolen configuration/backup data provided the credentials or details needed to facilitate the intrusion. SonicWall had publicly disclosed unauthorized access to its **MySonicWall** online customer portal / cloud backup service and initially reported that fewer than **5%** of customers were affected, later updating that the exposure was broader (including firewall configuration data and related credentials/tokens). Marquis said it is evaluating options with its firewall provider, including seeking **recoupment/compensation** for incident-response costs incurred by Marquis and its customers.
Mar 21, 2026
Marquis Discloses Ransomware Breach Affecting 672,000 Banking Customers
**Marquis**, a Texas-based fintech and services provider to hundreds of U.S. banks, disclosed that an **August 2025 ransomware attack** exposed the personal and financial data of **672,075 individuals**. Stolen information included names, dates of birth, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and bank, debit, and credit card details. The company said the intrusion disrupted operations at **74 banks**, while maintaining that the incident was limited to Marquis systems and did not directly impact customer bank environments. Reporting indicates the attackers gained access after compromising a **SonicWall firewall**, and Marquis has alleged in litigation that weaknesses tied to SonicWall allowed threat actors to obtain firewall configuration backup files and use them to breach its network, steal data, and deploy ransomware. The newly filed breach notices provide the clearest accounting so far of the scale of the incident, with a large share of affected individuals located in Texas, and connect the attack to broader concerns around credential and token exposure following SonicWall's earlier security disclosure.
Mar 20, 2026
Ransomware Breach at Marquis Software Solutions Exposes Bank Customer Data
Marquis Software Solutions, a provider of marketing and compliance software to over 700 banks and credit unions, experienced a significant data breach after ransomware attackers exploited a vulnerability in its SonicWall firewall. The breach, detected on August 14, allowed attackers to access files containing sensitive information stored by Marquis on behalf of its financial institution clients, potentially exposing the personal data of at least 250,000 individuals. The compromised data may include names, addresses, phone numbers, dates of birth, Social Security numbers, tax identification numbers, and financial account information. Marquis Software stated that the incident was limited to its own environment, but the breach has affected multiple financial institutions whose customer data was managed by the vendor. The company is working with digital forensic investigators to assess the full scope of the breach and has notified affected parties accordingly.
Mar 21, 2026