Marquis Software Solutions
A single firewall vulnerability cascaded through 74 banks and credit unions. Seven months to disclose.
What happened?
On August 14, 2025, attackers compromised a SonicWall firewall at Marquis Software Solutions and deployed ransomware. Marquis provides data analytics and CRM services to over 700 U.S. banks and credit unions. The breach wasn't disclosed until March 2026—seven months later. By then, 74 downstream financial institutions had been disrupted, and 672,000 individuals had their data stolen.
Marquis subsequently sued SonicWall, alleging security failures enabled the compromise.
What data was actually inside?
Names, dates of birth, Social Security numbers, and financial account information. This is the complete identity theft package: everything an attacker needs to open accounts, file fraudulent tax returns, or drain existing accounts.
The data came from 74 banks and credit unions—each with their own customer base, all aggregated in Marquis's systems.
Who gets hurt and how?
672,000 banking customers. They didn't choose Marquis as their vendor—they chose their local bank or credit union. Their bank chose Marquis. Now their Social Security numbers and financial data are in attacker hands because of a vulnerability in a third-party's firewall.
The seven-month delay in disclosure compounds the harm: attackers had seven months to exploit the data before victims were warned.
What did they think they were doing right?
Marquis serves 700+ financial institutions. They're trusted with some of the most sensitive data in the financial system. They had a firewall—SonicWall, an enterprise-grade product. They had security controls appropriate for handling bank data. They were audited. They were compliant.
The firewall was the perimeter. They trusted the perimeter.
What did they not know about their own data?
Marquis didn't know—or didn't act on knowing—that a single firewall compromise could expose data from 74 downstream customers. They didn't know that SSNs and financial data from hundreds of thousands of banking customers were accessible through one entry point. They didn't know their network architecture made one vulnerability catastrophic.
The lawsuit against SonicWall suggests they're blaming the vendor. But the data was theirs to protect.
What does attribution look like the morning after?
Marquis had to notify 74 banks and credit unions. Each of those institutions had to notify their own customers. 672,000 notification letters. Multiple state attorneys general involved. Multiple regulatory bodies asking questions. A lawsuit filed against SonicWall.
The seven-month delay will face scrutiny. State breach notification laws require timely disclosure. Seven months is not timely.
What would have changed the outcome?
Knowing what sensitive data is accessible from each entry point.
If Marquis had mapped their data—SSNs, financial accounts, customer records—against their network architecture, they would have seen that a single firewall protected data from 74 institutions. They might have added segmentation. They might have prioritized that firewall differently. They would have known the blast radius before the explosion.
Don't Learn What You Have From an Attacker
Marquis didn't know what data was at risk until attackers showed them—and 74 banks. Risk Finder shows you first.
Start Your Risk Assessment