Marquis Data Breach Exposes 74+ US Banks and Credit Unions

A significant data breach at financial software provider Marquis Software Solutions has potentially exposed the sensitive personal information of hundreds of thousands of individuals. The incident, stemming from a ransomware attack in mid-August 2025, impacted over 74 banks and credit unions across the United States that rely on the company’s data analytics and digital marketing services. The compromised data includes highly sensitive details such as names, addresses, Social Security numbers, financial account information, and dates of birth.

According to official data breach notifications filed with multiple state authorities, hackers infiltrated the Marquis network through its SonicWall firewall. This unauthorized access allowed them to steal files containing personal information the company held on behalf of its business clients. While Marquis is handling notifications for the affected institutions, filings in states like Maine, Iowa, and Texas indicate the total number of impacted consumers exceeds 400,000.

The list of affected financial institutions is extensive, encompassing credit unions and banks from coast to coast. Notable names include 1st Northern California Credit Union, Bellwether Community Credit Union, Florida Credit Union, Gesa Credit Union, Suncoast Credit Union, and dozens of others. Marquis has stated there is currently no evidence that the stolen data has been misused or publicly released. However, a since-deleted filing from one credit union, Community 1st, suggested that Marquis paid a ransom following the attack, a common tactic to prevent the leaking of stolen information.

In response to the breach, Marquis has outlined a series of enhanced security measures. These steps provide clues about how the attackers likely gained entry. The company is now ensuring all firewall devices are fully patched, rotating local account passwords, and deleting unused accounts. Critically, they are enforcing multi-factor authentication for all firewall and VPN accounts, increasing log retention, and applying geo-IP filtering to restrict connections. The implementation of account lock-out policies for failed VPN logins and automatic blocking of known botnet servers are also part of the new protocol.

The specific security enhancements point toward a compromised VPN as the entry point. This aligns with known tactics of ransomware groups like Akira, which have actively targeted SonicWall firewalls. This particular gang has exploited vulnerabilities, such as CVE-2024-40766, to steal VPN credentials, including usernames, passwords, and even the seeds used to generate one-time passcodes for multi-factor authentication. Even after patches were released, many organizations failed to properly reset their VPN credentials, allowing attackers to reuse previously stolen data to access supposedly secured systems.

Once inside a network through the VPN, groups like Akira move rapidly. They conduct network scans, perform reconnaissance, and work to gain elevated privileges within systems like Windows Active Directory. This access enables them to exfiltrate large volumes of data before finally deploying ransomware to encrypt files. The Marquis incident serves as a stark reminder of the persistent threats facing third-party vendors in the financial sector and the cascading risk they pose to their clients’ customers. Financial institutions are now tasked with notifying their members and guiding them on steps to protect themselves from potential identity theft and fraud.

(Source: Bleeping Computer)