TL;DR

  • Marquis Software Solutions, a digital marketing and data analytics vendor serving 700+ financial institutions, was breached on August 14, 2025 via a critical SonicWall firewall vulnerability (CVE-2024-40766, CVSS 9.3) — exposing SSNs, financial account data, and personal information for up to 1.35 million people [1][3].
  • 74–80+ community banks and credit unions are confirmed affected, with 823,548 victims across state AG filings and the number still climbing [1][3].
  • The suspected Akira ransomware group carried out the attack, and Marquis allegedly paid the ransom — a detail revealed in a since-deleted credit union filing [1].
  • Notifications didn't reach victims until four months after the breach, and Marquis's post-incident remediation — EDR deployment, infrastructure rebuilds, password rotation — represents basic security hygiene that should have been in place before the incident [1][8].

What Happened in the Marquis Software Solutions Breach?

On August 14, 2025, attackers compromised the network of Marquis Software Solutions, a Plano, Texas-based digital marketing and data analytics firm that serves over 700 banks, credit unions, and mortgage lenders across the United States. According to filings with the Maine Attorney General's office, 672,075 individuals were affected in that state alone, with cross-state filings pushing the confirmed total to 823,548 and estimates suggesting the real number could reach 1.35 million [1][3].​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​​​‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​

‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌

The data exposed is as damaging as it gets in the financial sector: full names, Social Security numbers, physical addresses, phone numbers, dates of birth, and financial account information. For community banks and credit unions that trusted Marquis with their customer data, this breach didn't originate inside their own walls — it came through a vendor they may never have subjected to rigorous security assessment [1][2].

How Did Attackers Get In? The SonicWall Vulnerability Explained

The intrusion vector was CVE-2024-40766, a critical access control vulnerability in SonicWall's SonicOS firmware carrying a CVSS score of 9.3 out of 10. This flaw allows unauthenticated remote attackers to gain access to firewall management interfaces and, in some configurations, pivot directly into the protected network [6].​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​​​‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌

This wasn't an obscure zero-day. SonicWall issued patches, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog — a list that exists specifically to tell organizations "patch this now or assume you will be compromised." SonicWall products have appeared on the KEV catalog 14 times, with 8 of those entries confirmed as leveraged in ransomware campaigns [4][6]. Arctic Wolf Labs documented threat actors actively harvesting VPN credentials through SonicWall vulnerabilities throughout 2025 [7].

The suspected threat actor is the Akira ransomware group, a prolific operation known for targeting mid-market organizations through VPN and firewall vulnerabilities. Marquis allegedly paid the ransom — a detail that surfaced in a Community 1st Credit Union regulatory filing before being scrubbed [1].

Why Did It Take Four Months to Notify Victims?

The breach occurred on August 14, 2025. Notification letters didn't start reaching affected individuals until December 2025 — a full four months later [1][3]. For victims whose Social Security numbers and financial account details were circulating in criminal hands, those four months represent an eternity of unmonitored exposure.

Delayed notification is a systemic problem in third-party breaches. The vendor needs time to investigate, then the affected institutions need time to assess their own exposure, and legal teams on all sides negotiate disclosure language. But IBM's 2025 Cost of a Data Breach Report found that the average breach lifecycle — from compromise to containment — is already 277 days. Adding notification delays on top of that extends the window in which stolen data can be weaponized for identity theft, account takeover, and fraud [8].

What Does the Remediation Tell Us About Marquis's Security Posture?

The remediation measures Marquis disclosed after the breach are revealing — not for their thoroughness, but for what they imply was missing before August 14. According to breach notifications, Marquis deployed endpoint detection and response (EDR) tools, rebuilt infrastructure, rotated passwords, and implemented IP filtering [1].

Every one of those measures is considered baseline security hygiene in 2025. EDR isn't optional for an organization processing sensitive financial data for hundreds of institutions. Infrastructure hardening, credential rotation policies, and network segmentation should be in place before an attacker forces the conversation. The fact that these were remediation steps, not pre-existing controls, suggests a security posture that hadn't kept pace with the sensitivity of the data Marquis was entrusted to handle [8][10].

Marquis filed a lawsuit against SonicWall in February 2026, arguing that the firewall vendor's product defect enabled the breach [1]. While the merits of that case will play out in court, it doesn't change the underlying reality: organizations are responsible for the security of their own environments, including patching known vulnerabilities in the products they deploy.

Why Should Third-Party Vendor Risk Keep You Up at Night?

Cybersecurity researcher Noelle Murata of Xcape captured the core problem: "A single mid-tier vendor sitting in the data flow of numerous banks can instantly create a blast radius on a national scale" [1]. Marquis wasn't a household name. It wasn't a Tier 1 technology provider with a dedicated security operations center. It was a marketing and analytics firm — the kind of vendor that often flies under the radar in third-party risk assessments.

The Ponemon Institute's 2025 Third-Party Risk Management Study found that over 60% of organizations have experienced a data breach caused by a third party, yet fewer than half conduct thorough security assessments of their vendors before granting data access [10]. The Marquis breach is a textbook example of concentrated risk: one vendor, one unpatched firewall, 80+ institutions compromised, and over a million people exposed.

This pattern repeats across industries. The Navia Benefits data breach, disclosed just days before Marquis's story broke, affected 2.7 million people through a similar third-party compromise [2]. Krebs on Security has documented an accelerating trend of attackers specifically targeting vendors and service providers as force multipliers [9].

How Can Financial Institutions Protect Against Third-Party Breaches?

Protecting what you've built means treating vendor risk as a first-class security concern, not a compliance checkbox. Here are concrete steps:

Demand Evidence, Not Attestations

Require vendors to provide current penetration test results, SOC 2 Type II reports, and proof of vulnerability management programs. A questionnaire isn't enough — ask for evidence that patches like CVE-2024-40766 are applied within CISA's recommended timelines [4][6].

Enforce Data Minimization

If your vendor doesn't need Social Security numbers to run a marketing campaign, don't send them. Tokenize, anonymize, or segment data so that a vendor compromise doesn't expose your entire customer database [8].

Build Contractual Teeth

Breach notification timelines, security baseline requirements, and audit rights should be in every vendor agreement. Four-month notification delays are unacceptable when the data includes SSNs and financial account numbers [10].

Monitor Continuously

Point-in-time assessments miss the reality that vendor security postures change. Continuous monitoring tools can flag when a vendor's external attack surface develops new exposures — like an unpatched SonicWall appliance [4][7].

Have an Incident Response Plan That Includes Vendors

Your IR plan should include playbooks for third-party breaches. Know in advance how you'll assess exposure, communicate with customers, and coordinate with the compromised vendor [8].

FAQ

If you bank with a community bank or credit union in the United States, particularly one that uses Marquis for marketing or data analytics services, you may be affected. Check your mail for notification letters from your financial institution, and monitor the Maine Attorney General's breach notification page for updated filings [3]. Affected individuals are typically offered credit monitoring services.

The breach exposed names, Social Security numbers, physical addresses, phone numbers, dates of birth, and financial account information. This combination of data is sufficient for identity theft, fraudulent account opening, and targeted phishing campaigns [1][3].

CVE-2024-40766 is a critical improper access control vulnerability in SonicWall's SonicOS firmware, rated 9.3 on the CVSS scale. It allows unauthenticated attackers to access firewall management interfaces remotely. CISA added it to the Known Exploited Vulnerabilities catalog, and it has been actively leveraged in ransomware campaigns, including by the suspected Akira group [4][6][7].

According to a since-deleted regulatory filing by Community 1st Credit Union, Marquis allegedly paid a ransom to the attackers. This detail has not been independently confirmed by Marquis, and the filing was removed after publication [1].

Businesses should implement comprehensive vendor risk management programs that include pre-engagement security assessments, contractual security requirements with audit rights, data minimization practices, continuous monitoring of vendor security postures, and incident response plans that explicitly address third-party breach scenarios. The NIST Cybersecurity Framework and Ponemon Institute's research provide structured approaches to building these programs [8][10].

Protect What You've Built

Third-party risk isn't theoretical — it's the breach vector that keeps scaling. If your organization shares sensitive data with vendors and you're not sure how they're protecting it, that's the gap to close today.

Schedule a vendor risk assessment with lil.business →

References

[1] H. Kanapi, "US Banks Hit by Massive Third-Party Data Breach," The Daily Hodl, Mar. 21, 2026. [Online]. Available: https://dailyhodl.com/2026/03/21/us-banks-hit-by-massive-third-party-data-breach-sensitive-information-of-672075-people-potentially-exposed/

[2] "Navia Data Breach Impacts 2.7 Million," SecurityWeek, Mar. 20, 2026. [Online]. Available: https://www.securityweek.com/navia-data-breach-impacts-2-7-million/

[3] Maine Attorney General, "Data Breach Notifications," 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/data-breach-notifications.html

[4] CISA, "Known Exploited Vulnerabilities Catalog," 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[5] "Marquis Software data breach affects banking customers," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/

[6] NIST, "NVD - CVE-2024-40766," 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-40766

[7] Arctic Wolf Labs, "SonicWall VPN Credential Theft Analysis," 2025. [Online]. Available: https://arcticwolf.com/resources/blog/

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[9] Krebs on Security, "Iran-Backed Hackers Claim Wiper Attack," Mar. 2026. [Online]. Available: https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

[10] Ponemon Institute, "Third-Party Risk Management Study," 2025. [Online]. Available: https://www.ponemon.org/

TL;DR

  • A company called Marquis Software Solutions helps over 700 banks with marketing and data — and hackers broke into Marquis, not the banks themselves. But because Marquis had bank customer data, over 800,000 people got their personal info exposed [1][3].
  • The hackers got in through a known security flaw in a firewall product that had a fix available — like leaving a broken lock on the front door even though a new lock was ready to install [6].
  • It took four months for anyone to tell the affected people what happened [1].
  • The fix-up work Marquis did afterward — installing monitoring tools, changing passwords, rebuilding systems — is stuff that should've been there from the start [1][8].

What Happened? Think of It Like a Neighborhood

Imagine your bank is a house with good locks and cameras. But you hire a lawn-mowing company and give them a spare key to the backyard shed — the one with important paperwork inside.

Marquis Software Solutions is that lawn-mowing company. This Plano, Texas firm helps over 700 banks with advertising and data work. Banks gave Marquis access to customer names, Social Security numbers, addresses, birthdates, and bank account details [1].

On August 14, 2025, hackers didn't break into any bank. They broke into Marquis — the company with spare keys to 700+ sheds. One break-in, 80+ banks affected, over 800,000 people exposed [1][3].

How Did the Hackers Get In?

Marquis used a firewall (like a front gate) made by SonicWall. That gate had a known broken latch — security experts rated it 9.3 out of 10 for danger, and a fix was available [6]. But Marquis never installed it. Hackers — possibly a group called Akira — walked right through [4][7].

SonicWall products have appeared on the government's "known broken locks" list 14 times. Eight of those were used in ransomware attacks, where hackers lock your files and demand money [4].

Why Did It Take So Long to Tell People?

The break-in was in August 2025. People weren't told until December — four months later [1][3]. That's four months of stolen Social Security numbers floating around while victims had no idea. IBM's research shows breaches already take an average of 277 days to contain, and adding silence makes it worse [8].

What Should You Do?

  1. Check the mail for breach notification letters from your bank.
  2. Freeze credit reports at Equifax, Experian, and TransUnion — it's free and stops anyone from opening fake accounts in your name.
  3. Watch bank statements for transactions that don't belong.
  4. Use strong, unique passwords — a password manager helps.
  5. Turn on two-factor authentication — that extra code when you log in adds a second lock to the door.

FAQ

A third-party data breach is when hackers don't attack your company directly — they attack a company your company works with. In this case, hackers attacked Marquis Software Solutions, which had access to bank customer data. The banks themselves weren't hacked, but their customers' data was still stolen because it was stored at Marquis [1].

The stolen data includes people's full names, Social Security numbers, home addresses, phone numbers, dates of birth, and bank account information. This is enough for criminals to try to steal someone's identity or open fake accounts [1][3].

The Maine Attorney General filing lists 672,075 people. Across all state filings, the number is over 823,000. The real total could be as high as 1.35 million people across 74 to 80+ banks and credit unions [1][3].

Yes — this appears to be a ransomware attack, where hackers lock up data and demand payment. Reports suggest Marquis may have paid the ransom, based on a filing by Community 1st Credit Union that was later deleted [1].

Freeze your credit at Equifax, Experian, and TransUnion — it's free and it stops strangers from opening accounts in your name. Monitor your bank accounts for unfamiliar activity. Use unique passwords and turn on two-factor authentication wherever you can. These steps won't undo a breach, but they make stolen data much harder to use against you [8].

Whether you run a small business or manage IT for a larger organization, understanding who has access to your data — and how they protect it — is one of the most important things you can do.

Talk to lil.business about vendor risk →

References

[1] H. Kanapi, "US Banks Hit by Massive Third-Party Data Breach," The Daily Hodl, Mar. 21, 2026. [Online]. Available: https://dailyhodl.com/2026/03/21/us-banks-hit-by-massive-third-party-data-breach-sensitive-information-of-672075-people-potentially-exposed/

[3] Maine Attorney General, "Data Breach Notifications," 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/data-breach-notifications.html

[4] CISA, "Known Exploited Vulnerabilities Catalog," 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[6] NIST, "NVD - CVE-2024-40766," 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-40766

[7] Arctic Wolf Labs, "SonicWall VPN Credential Theft Analysis," 2025. [Online]. Available: https://arcticwolf.com/resources/blog/

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation