Marquis, a Plano, Texas-based fintech company providing customer data analytics and marketing compliance tools to hundreds of community and regional banks, has confirmed that a ransomware attack from August 2025 exposed the personal and financial data of at least 672,075 people. The disclosure, filed with Maine's attorney general, represents the most complete picture yet of the breach's scope. More than half of those affected live in Texas. Marquis has since sued its firewall provider SonicWall, alleging that a prior security failure in SonicWall's products directly enabled the intrusion.

What Happened

In August 2025, attackers compromised Marquis's internal network, exfiltrated sensitive customer data from its banking analytics platform, and deployed ransomware. The attack chain began with a compromise of SonicWall firewall products used by Marquis. Hackers exploited a vulnerability in SonicWall's systems to steal Marquis's firewall configuration backup files; files that contained enough operational detail to enable attackers to re-enter Marquis's network and move laterally to its customer data stores.

Marquis's lawsuit against SonicWall, filed in February 2026, alleges that the firewall vendor created a vulnerability that allowed the backup exfiltration and failed to adequately disclose or remediate it. The case is ongoing. No ransomware group has publicly claimed responsibility for the attack.

The breach went unreported publicly until Marquis began filing breach notifications with state regulators in March 2026; more than six months after the August 2025 attack.

What Was Taken

Attackers accessed Marquis's platform data covering customers of its banking clients. Data exfiltrated includes:

Marquis's platform processes this data on behalf of community and regional banks for customer analytics, segmentation, and marketing compliance purposes. Affected individuals may be customers of any bank using Marquis's services; they have no direct relationship with Marquis itself, which makes the vendor risk invisible to end consumers.

Why It Matters

This is a textbook third-party vendor risk event with cascading exposure across the US community banking sector. A single point of compromise, a fintech serving hundreds of financial institutions, translated into breach notifications for 672,075 people across multiple states. The same dynamic drove the MoveIt and Snowflake breaches: attackers target the shared infrastructure layer rather than individual institutions.

The Social Security number exposure elevates this beyond a typical payment card breach. SSNs combined with financial account data create a high-value package for identity theft, fraudulent account opening, and social engineering attacks on banking customers. Unlike card numbers, SSNs cannot be changed.

The SonicWall angle introduces a second-order risk that applies broadly. Security infrastructure (firewalls, VPN appliances, network management tools) is itself a target. Firewall configuration backups, if compromised, provide attackers a roadmap of the victim's defenses. Organizations should treat firewall config backups with the same sensitivity as credential stores.

The six-month gap between the August 2025 attack and the March 2026 notifications is also notable. Delayed discovery or delayed disclosure; either way, affected individuals spent months exposed without any ability to take protective action.

The Attack Technique

The confirmed attack vector is a compromise of SonicWall firewall backup files, which Marquis used and which SonicWall allegedly failed to protect adequately. The full attack chain, based on the SonicWall lawsuit and Marquis's public notifications:

  1. Initial access via SonicWall vulnerability: attackers exploited a flaw in SonicWall infrastructure to obtain Marquis's firewall configuration backup files in a prior incident.
  2. Network re-entry using stolen config data: attackers used the firewall configuration intelligence to identify access pathways into Marquis's network and bypass perimeter controls.
  3. Lateral movement and data staging: attackers identified and staged customer data held on behalf of Marquis's banking clients.
  4. Data exfiltration: customer PII and financial data extracted before ransomware deployment.
  5. Ransomware deployment: encryption of Marquis systems following exfiltration.

This sequence, where a security vendor's own compromise becomes the vector into a customer's network, is a recurring and underappreciated threat pattern. The SonicWall lawsuit may be the first high-profile attempt to hold a security vendor financially liable for this class of downstream harm.

What Organizations Should Do

  1. Audit your vendor inventory for shared analytics and marketing platforms. Community and regional banks using third-party data analytics or marketing tools should identify which vendors hold customer PII and what security controls apply. Request SOC 2 reports, penetration test results, and incident response SLAs.

  2. Treat security infrastructure as a target, not a control. Firewall config backups, VPN credentials, and network management tool access should be classified as sensitive assets with restricted access, encrypted storage, and separate audit logging. Rotate configurations after any suspected vendor compromise.

  3. Enforce breach notification timelines. The August 2025 to March 2026 gap represents a material window where affected customers had no ability to act. Organizations should review their detection and notification workflows to ensure regulatory timelines are met; and build internal escalation processes that don't depend on a vendor self-reporting.

  4. Notify and protect affected customers proactively. Banks whose customers are affected should consider proactive outreach (fraud monitoring enrollment, account monitoring alerts, credit monitoring offers) without waiting for customers to self-identify exposure.

  5. Monitor the SonicWall litigation for precedent. If Marquis prevails, this case establishes that security vendors can face meaningful liability for downstream breaches caused by their own product failures. Security procurement decisions should begin incorporating vendor liability posture as a selection criterion.

Sources