Marquis Discloses Ransomware Breach Affecting 672,000 Banking Customers
Marquis, a Texas-based fintech and services provider to hundreds of U.S. banks, disclosed that an August 2025 ransomware attack exposed the personal and financial data of 672,075 individuals. Stolen information included names, dates of birth, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and bank, debit, and credit card details. The company said the intrusion disrupted operations at 74 banks, while maintaining that the incident was limited to Marquis systems and did not directly impact customer bank environments.
Reporting indicates the attackers gained access after compromising a SonicWall firewall, and Marquis has alleged in litigation that weaknesses tied to SonicWall allowed threat actors to obtain firewall configuration backup files and use them to breach its network, steal data, and deploy ransomware. The newly filed breach notices provide the clearest accounting so far of the scale of the incident, with a large share of affected individuals located in Texas, and connect the attack to broader concerns around credential and token exposure following SonicWall's earlier security disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Marquis discloses 672,075 people had data stolen
By 2026-03-18, Marquis filed breach notices with Maine and Texas authorities stating that 672,075 individuals were affected. The stolen data included highly sensitive personal and financial information such as names, dates of birth, addresses, Social Security numbers, taxpayer IDs, bank account details, and payment card numbers.
Marquis sues SonicWall over alleged role in ransomware attack
In February 2026, Marquis filed a lawsuit against SonicWall alleging gross negligence, misrepresentation, and security failings related to firewall configuration backup files. Marquis said SonicWall's conduct enabled the attack and caused significant business, legal, and remediation harm.
SonicWall discloses security breach tied to Marquis intrusion
On 2025-09-17, SonicWall disclosed a security breach that Marquis later linked to the compromise of a SonicWall firewall used in the August attack. Marquis alleged the firewall issue enabled attackers to access its network.
Ransomware attack hits Marquis systems
On 2025-08-14, attackers compromised Marquis Software Solutions' environment, stole data, and deployed ransomware. The incident disrupted operations at 74 U.S. banks that relied on Marquis services, though Marquis said customer systems were not directly breached.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
French aircraft carrier location exposed by sailor’s Strava activity | brief | SC Media
scworld.com
Open sourceMarquis breach toll surpasses 670K | brief | SC Media
scworld.com
Open sourceMarquis says over 672,000 people had personal and financial data stolen in ransomware attack | TechCrunch
techcrunch.com
Open sourceMarquis: Ransomware gang stole data of 672K people in cyberattack
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Breach at Marquis Software Solutions Exposes Bank Customer Data
Marquis Software Solutions, a provider of marketing and compliance software to over 700 banks and credit unions, experienced a significant data breach after ransomware attackers exploited a vulnerability in its SonicWall firewall. The breach, detected on August 14, allowed attackers to access files containing sensitive information stored by Marquis on behalf of its financial institution clients, potentially exposing the personal data of at least 250,000 individuals. The compromised data may include names, addresses, phone numbers, dates of birth, Social Security numbers, tax identification numbers, and financial account information. Marquis Software stated that the incident was limited to its own environment, but the breach has affected multiple financial institutions whose customer data was managed by the vendor. The company is working with digital forensic investigators to assess the full scope of the breach and has notified affected parties accordingly.
Mar 21, 2026
Marquis links its ransomware breach to stolen SonicWall cloud firewall backups
Texas-based financial services provider **Marquis Software Solutions** told customers that its August 2025 ransomware incident—impacting Marquis systems used by dozens of U.S. banks and credit unions—was enabled by a prior compromise of **SonicWall’s** cloud services. Marquis said its third-party investigation concluded attackers obtained sensitive firewall information from SonicWall and used it to **circumvent Marquis’ firewall**, leading to theft of customers’ personal and financial data. Marquis stated it had stored a backup of its firewall configuration in SonicWall’s cloud, and that the stolen configuration/backup data provided the credentials or details needed to facilitate the intrusion. SonicWall had publicly disclosed unauthorized access to its **MySonicWall** online customer portal / cloud backup service and initially reported that fewer than **5%** of customers were affected, later updating that the exposure was broader (including firewall configuration data and related credentials/tokens). Marquis said it is evaluating options with its firewall provider, including seeking **recoupment/compensation** for incident-response costs incurred by Marquis and its customers.
Mar 21, 2026
Marquis Lawsuit Alleges SonicWall Firewall Backup Breach Enabled Ransomware Intrusion
Fintech firm **Marquis** filed a lawsuit in the U.S. District Court for the Eastern District of Texas seeking a jury trial, alleging that security failures in **SonicWall’s firewall cloud backup service** enabled threat actors to later compromise Marquis and deploy ransomware. The complaint claims a **2025 breach at SonicWall** exposed sensitive customer firewall configuration backup files, giving attackers detailed insight into how Marquis and other customers configured their perimeter defenses and providing a “blueprint” to bypass them. Marquis alleges the stolen backup data included emergency administrative access credentials ("**scratch codes**"), which were used to gain access to Marquis’ internal network, disrupt operations with ransomware, and exfiltrate sensitive data. Marquis stated the incident caused significant operational, reputational, and financial harm, and reported that attackers accessed **personally identifiable information** tied to customers of some of Marquis’ financial-institution clients, including data elements such as names, dates of birth, postal addresses, and financial information.
Mar 21, 2026