On March 18, 2026, a filing with the Maine Attorney General’s office quietly confirmed what had been trickling out in fragments for months: 672,075 people had their most sensitive personal and financial information stolen in a ransomware attack against a company called Marquis Software Solutions. More than half of the victims are in Texas. Most of them have almost certainly never heard of Marquis.

That’s the insidious nature of supply-chain breaches. You can choose your bank carefully, review their security practices, and trust that your financial institution has your back — but you have zero visibility into the dozens of third-party vendors they hand your data to behind the scenes. Marquis is one of those vendors. It’s a Plano, Texas-based fintech firm that provides data analytics, customer relationship management, and marketing compliance tools to more than 700 banks and credit unions across the United States. It holds — or rather, held — a treasure trove of the most sensitive data in existence: Social Security numbers, bank account numbers, credit and debit card details, dates of birth, addresses, phone numbers, and Taxpayer Identification Numbers.

And on August 14, 2025, ransomware operators walked in through a firewall vulnerability and took all of it.

The Attack: A SonicWall Vulnerability Becomes a Gateway

The breach at Marquis didn’t start at Marquis. It started at SonicWall.

According to Marquis’s own lawsuit against its firewall vendor, filed in February 2026, SonicWall introduced a vulnerability through a code change to its API in February 2025. That flaw allowed unauthorized actors to download firewall configuration backup files from SonicWall’s MySonicWall cloud backup service without proper authentication. The only thing an attacker needed was a firewall device serial number — which Marquis’s complaint describes as “predictable and algorithmically generatable.”

But it gets worse. SonicWall had stored MFA scratch codes within those configuration backup files — without encrypting them. Those scratch codes could be used to bypass multi-factor authentication on customer firewalls entirely. In other words, even organizations that had done everything right — implemented MFA, maintained advanced security controls — were exposed because their firewall vendor stored their bypass codes in plain text inside downloadable backup files.

Security researchers linked the subsequent attack to the Akira ransomware group, which had been exploiting a critical improper access control vulnerability (CVE-2024-40766) in SonicWall VPN products throughout 2024 and 2025. According to research from Arctic Wolf Labs, Akira had been bypassing multi-factor authentication in over half of the intrusions analyzed by using valid credentials harvested from devices prior to the patch being applied.

The Australian Cyber Security Centre had issued an advisory on September 10, 2025, warning that “organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware.” Simply patching the vulnerability wasn’t enough — the horse was already out of the barn.

On August 14, 2025, the threat actors accessed Marquis’s network through its SonicWall firewall. They exfiltrated files containing customer data. Then they deployed ransomware.

The Scope: 80+ Banks, Up to 824,000 Victims — and Counting

The 672,075 figure in the March 18 Maine filing represents the most definitive count Marquis has provided to date. But evidence strongly suggests the true scope is significantly larger.

An analysis by American Banker of public disclosures across multiple state attorneys general offices found that the breach affected at least 823,548 customers across 80 banks and credit unions — and that figure was compiled in January 2026, before several additional institutions had disclosed.

The state-by-state breakdown paints a grim picture:

  • Texas: 354,289 individuals (per the state AG, December 2, 2025)
  • Washington: 269,773 individuals across 30+ financial institutions (November 26, 2025)
  • South Carolina: 84,721 individuals
  • Maine: 42,784 individuals
  • Iowa: 10,730 individuals

Multiple law firms and cybersecurity researchers have estimated the total number of affected individuals is likely between 788,000 and 1.35 million, since many states had not yet completed their disclosures at the time of those estimates.

The initial estimate of 74 affected financial institutions has since grown to at least 80. And sources who spoke to The Record noted that the bank they work for was impacted and sent its own breach notifications, but was not included in the list of 74 affected financial institutions released last year — suggesting the true institutional count is higher still.

The Data: Everything an Identity Thief Needs

The information stolen in the Marquis breach reads like a checklist for comprehensive identity theft:

  • Full names
  • Dates of birth
  • Social Security numbers
  • Taxpayer Identification Numbers
  • Physical addresses
  • Phone numbers
  • Bank account numbers
  • Credit and debit card numbers
  • Financial account information

This isn’t a breach of email addresses and hashed passwords. This is the full spectrum of personally identifiable information (PII) and financial data — the kind of data that enables not just identity theft, but targeted financial fraud, synthetic identity creation, tax refund fraud, and account takeover attacks.

Understanding why Marquis held this data in the first place is important. According to a source who spoke to The Record, Marquis provides customer relationship management tools where bank employees track what kind of accounts each customer has, enabling marketing of additional financial products. Banks enter Social Security numbers, account numbers, home addresses, account balances, and more into the platform. They also track which bank employees have spoken to a customer, what they discussed, and when follow-ups are scheduled.

In other words, Marquis had a holistic financial profile of every customer of every bank it served. It was a marketing and analytics platform — not a bank itself — but it held the most sensitive banking data imaginable.

The Ransom: Paid, But Officially Denied

One of the most troubling aspects of this breach is the question of whether Marquis paid a ransom.

In its consumer notifications, Marquis stated it has “no evidence of the misuse” of the stolen data — a carefully worded statement that doesn’t actually say the data wasn’t stolen or that it won’t be misused. American Banker reported that internal communications suggest Marquis paid the attackers to suppress the data.

The most direct evidence comes from a November 7, 2025, email from Bobbi Terrell, chief compliance and business services officer at Community 1st Credit Union in Iowa, sent to the Iowa attorney general. The email stated that “Marquis paid a ransomware” shortly after August 14. Cybersecurity research firm Comparitech first reported on the email, which it obtained from a since-deleted breach notification letter from the credit union.

No ransomware gang has ever publicly taken credit for the attack — which is consistent with ransom payment scenarios where attackers agree not to publish stolen data in exchange for payment. Marquis has not commented on whether a ransom was paid.

The question of ransom payment is significant for victims. If a ransom was paid and the attackers honored the agreement, the stolen data may never surface publicly. But ransom agreements are unenforceable promises from criminal organizations. Multiple ransomware groups have been documented releasing data even after receiving payment, or selling it privately while maintaining public silence.

The Timeline: Seven Months of Silence

For the hundreds of thousands of people whose data was stolen, one of the most galling aspects of this breach is the timeline:

  • February 2025: SonicWall introduces the API vulnerability that exposed configuration backup files
  • August 14, 2025: Marquis detects the ransomware attack
  • August 14, 2025: Marquis notifies law enforcement and engages cybersecurity experts
  • Late November 2025: First breach notifications filed with state attorneys general
  • Late November - December 2025: Financial institutions begin mailing notifications to affected customers
  • January 5, 2026: American Banker analysis reveals 80+ banks, 824,000+ victims
  • February 2026: Marquis sues SonicWall
  • March 18, 2026: Marquis discloses full count of 672,075 victims in Maine filing

That’s more than three months between the attack and the first state-level disclosures, and seven months before the full victim count was revealed. During that entire period, 672,000+ people had their Social Security numbers and bank account details in the hands of ransomware operators without knowing it.

State breach notification laws vary, but most require notification within 30 to 60 days of discovering a breach. The delay here has already attracted regulatory scrutiny and is a central element of the class-action lawsuits Marquis now faces.

The Lawsuit: Marquis vs. SonicWall

In February 2026, Marquis filed a 35-page complaint against SonicWall, alleging that the firewall vendor’s negligence directly enabled the ransomware attack. The allegations are detailed and damning:

  1. Predictable serial numbers as access keys: SonicWall used device serial numbers — which Marquis describes as easy to predict and brute-force — as the access mechanism for downloading configuration backup files. No additional authentication was required.

  2. Unencrypted MFA scratch codes: SonicWall stored MFA bypass codes within configuration backup files in plain text. When those files were downloaded by attackers, they obtained the ability to bypass multi-factor authentication on customer firewalls.

  3. Failure to detect unauthorized access: SonicWall allegedly failed to detect that configuration backup files were being downloaded by unauthorized parties for months.

  4. Misrepresenting the scope of the breach: Marquis alleges that SonicWall downplayed the severity of the MySonicWall cloud breach and did not provide critical security information even after Marquis reported being hit by ransomware.

SonicWall responded in a statement to Information Security Media Group: “We have not identified any technical evidence establishing a link between these events. Unfortunately, the customer filed a lawsuit without providing documentation to substantiate its allegations in advance.”

The lawsuit paints a picture of cascading vendor failures — SonicWall’s cloud service was breached, exposing Marquis’s firewall configuration; attackers used that configuration data to penetrate Marquis; and Marquis’s own clients’ customers paid the ultimate price.

The Fallout: Class Actions, Lost Contracts, and Industry Exile

The financial and reputational damage to Marquis has been severe. According to its own lawsuit filings:

  • Marquis has been named as a defendant in dozens of putative class actions seeking millions of dollars in damages
  • Clients have terminated contracts prematurely
  • Clients have refused to pay outstanding amounts
  • Some clients have sought return of prepaid fees
  • A national trade association disinvited Marquis from a conference and refused to allow it to serve as a lead sponsor

For the affected financial institutions, the damage has been operational as well as reputational. Multiple banks have stressed in their own statements that the hackers never breached their own systems — only data “maintained by Marquis Software.” But that distinction offers cold comfort to customers whose Social Security numbers are now in criminal hands.

Affected institutions are offering 12 to 24 months of complimentary credit monitoring and identity theft protection services through Epiq. Marquis itself has implemented additional security measures including endpoint detection and response tools, rebuilt infrastructure with new operating systems, rotated passwords for local accounts, and applied stricter geographic-based IP filtering to its firewalls — measures that, had they been in place before August 14, might have prevented the breach entirely.

The Bigger Picture: Supply Chain Risk in Community Banking

The Marquis breach is a textbook case of third-party supply chain risk — and it highlights a systemic vulnerability in the American community banking ecosystem.

Marquis serves more than 700 banks and credit unions. Most of these are small, community-focused institutions that lack the cybersecurity budgets and in-house expertise of major banks. They rely on vendors like Marquis to handle marketing analytics, compliance reporting, and customer relationship management. In doing so, they hand over their most sensitive customer data to an entity that their customers have never heard of, didn’t choose, and can’t evaluate.

This creates an invisible attack surface that consumers have no ability to assess or mitigate. You can choose a bank with strong security practices. You cannot choose — or even know about — the dozens of vendors that bank shares your data with.

As SBS Cybersecurity noted in its analysis of the breach: “Several impacted organizations did not initially know what types of data Marquis held on their behalf. That gap complicates reporting, customer notification timelines, and examiner expectations.”

The breach also exposes the limitations of vendor risk management as currently practiced. Annual security questionnaires — the standard approach at most financial institutions — don’t confirm whether firewalls are patched, VPN accounts are secured, or MFA bypass codes are stored in plain text. The Marquis breach demonstrates that a checked box on a vendor questionnaire is not the same as verified security.

Lessons for Every Organization

The Marquis breach offers several critical lessons:

1. Know what data your vendors hold. Many of the affected banks didn’t fully understand what data they had sent to Marquis, or how it was stored. If you can’t enumerate what data each vendor holds, you can’t assess the impact when they’re breached.

2. Patching is necessary but not sufficient. The SonicWall vulnerability had a patch available, but attackers harvested credentials before the patch was applied. Organizations must rotate all credentials after applying security patches to network equipment — not just assume the patch alone resolves the risk.

3. MFA can be bypassed when implementation is flawed. Marquis had MFA enabled. It didn’t matter, because SonicWall stored MFA scratch codes in unencrypted backup files. MFA is only as strong as its weakest implementation point.

4. Vendor breach notification timelines are unacceptable. Seven months between breach and full disclosure is too long. Organizations should demand contractual notification timelines from vendors and build incident response plans that account for vendor breaches.

5. Ransom payment doesn’t equal data safety. Even if Marquis paid a ransom to suppress the data, there are no guarantees in criminal negotiations. Victims should act as though their data is compromised regardless.

6. Supply chain risk is existential risk. The Marquis breach affected more people than most direct attacks on major corporations. The community banking sector’s reliance on shared vendors creates concentrated risk that individual institutions cannot manage alone.

What Victims Should Do

If you bank with a community bank or credit union, there’s a reasonable chance your data was part of this breach — even if you haven’t received a notification letter yet. Here’s what you should do:

  • Check your mail for breach notification letters from your bank or credit union
  • Enroll in the free credit monitoring offered by Marquis/Epiq if you receive a notification
  • Place a fraud alert or credit freeze with all three credit bureaus (Equifax, Experian, TransUnion)
  • Monitor your bank accounts closely for unauthorized transactions
  • File your taxes early to preempt tax refund fraud using your stolen SSN
  • Consider an IRS Identity Protection PIN to prevent fraudulent tax filings
  • Be alert for targeted phishing — attackers now have enough information to craft convincing impersonation attempts

The Marquis breach is a reminder that in today’s interconnected financial ecosystem, your data security is only as strong as the weakest vendor in the chain. And you probably don’t even know who that vendor is.

Sources: TechCrunch, The Record, American Banker, BleepingComputer, Healthcare Info Security, SBS Cybersecurity, Security Affairs, Maine Attorney General