A comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers

Executive Summary

In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal and financial information of approximately 788,000 customers. The breach occurred on August 14, 2025, when attackers exploited a vulnerability in the company’s SonicWall firewall to gain unauthorized access to sensitive customer data. This incident serves as a stark reminder of the systemic risks posed by third-party vendor concentration in the financial services sector.

The Breach Timeline

August 14, 2025: Attackers breach Marquis Software Solutions’ network through a SonicWall firewall vulnerability Same Day: Company detects suspicious activity and takes affected systems offline October 27, 2025: Financial institutions begin receiving breach notifications Late November/Early December 2025: Public disclosure through Attorney General filings in multiple states Ongoing: Investigation continues, with no evidence of data appearing on the dark web as of early December 2025

What Data Was Compromised?

The stolen information represents a comprehensive profile of victims’ financial identities:

  • Full names and physical addresses
  • Social Security numbers (SSNs)
  • Taxpayer Identification Numbers (TINs)
  • Dates of birth
  • Phone numbers
  • Financial account information (excluding security codes or access credentials)
  • Credit and debit card numbers

This combination of personally identifiable information (PII) and financial data creates significant identity theft risks for affected individuals.

Scale of Impact: 74+ Financial Institutions Affected

According to data breach notifications filed with state Attorney General offices across Maine, Iowa, Texas, Massachusetts, New Hampshire, South Carolina, and Washington, at least 74 banks and credit unions were impacted. However, given that Marquis serves over 700 financial institutions nationwide, the actual scope may be broader.

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America’s Most Critical Network Infrastructure$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can’t Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for bothBreached CompanyBreached Company The affected institutions represent a cross-section of community banks and credit unions that rely on Marquis for:

  • Data analytics and business intelligence
  • Customer relationship management (CRM) tools
  • Compliance reporting and regulatory documentation
  • Digital marketing services

The Technical Attack Vector: SonicWall - But Which Vulnerability?

Critical Clarification: Marquis has only confirmed that attackers breached their network “through its SonicWall firewall” on August 14, 2025. The company has not disclosed which specific vulnerability was exploited. What follows is security researcher speculation based on attack patterns and timing—not confirmed facts.

The Speculation: Two Leading Theories

Security researchers have proposed two primary theories about which vulnerability was used:

Theory #1: CVE-2024-40766 (Most Media Coverage)

Most security publications have speculated this is CVE-2024-40766, a critical improper access control vulnerability in SonicWall SonicOS disclosed in August 2024 - approximately one year before the Marquis breach.

This vulnerability, which received a CVSS score of 9.3 (Critical), affects SonicWall’s SSL VPN and management access components across multiple device generations:

  • Gen 5 devices: SOHO models running version 5.9.2.14-12o and older
  • Gen 6 devices: TZ, NSA, and SM models running versions 6.5.4.14-109n and older
  • Gen 7 devices: TZ and NSA models running SonicOS build version 7.0.1-5035 and older

Why researchers suspect CVE-2024-40766:

  • Heavily exploited by Akira ransomware throughout 2024-2025
  • Allows attackers to steal VPN credentials, passwords, and OTP seeds
  • Enables persistent access even after patching if credentials aren’t rotated
  • Timeline matches known Akira campaigns
  • Marquis’s post-breach remediation (MFA, geo-blocking, credential rotation) suggests VPN compromise

The critical timing issue: If this was indeed the vulnerability used, it means Marquis was breached using a year-old patched vulnerability—a catastrophic patch management failure.

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats CollideExecutive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentialsSecurity Careers HelpSecurity Careers

Theory #2: CVE-2024-53704 (Technical Analysis)

However, Lydia Zhang, President of Ridge Security, argues the breach is more closely related to CVE-2024-53704, a different SonicWall SSL VPN vulnerability:

“This recent attack was more closely related to CVE-2024-53704 rather than CVE-2024-40766. The ‘53704’ SonicWall SSL VPN vulnerability leaks the swap cookie and session ID, which lets a remote attacker bypass authentication and take over an existing session.” CVE-2024-53704 details:

  • Disclosed officially: January 7, 2025 (but may have been exploited as zero-day earlier)
  • CVSS Score: 9.8 (Critical)
  • Allows session hijacking without credentials
  • Affects TZ, NSa, NSsp, and NSv series firewalls
  • Added to CISA KEV: February 18, 2025

The timing problem with this theory: CVE-2024-53704 wasn’t publicly disclosed until January 2025, but the Marquis breach occurred in August 2025. This could mean:

  • Attackers discovered it as a zero-day and used it months before disclosure
  • It was already being exploited in the wild before the January disclosure
  • The researcher is incorrect and it was actually CVE-2024-40766

What We Actually Know

Confirmed facts:

  • Attackers breached through a SonicWall firewall
  • The attack occurred August 14, 2025
  • Marquis implemented post-breach controls suggesting VPN/authentication compromise
  • Attack patterns resemble Akira ransomware techniques

Speculation/unconfirmed:

  • Which specific CVE was exploited
  • Whether Akira ransomware was responsible
  • Whether a ransom was paid

The broader truth: Regardless of which vulnerability was used, Marquis was running vulnerable SonicWall equipment that should have been either patched, properly configured, or replaced. The specific CVE almost doesn’t matter—the fundamental security failure is the same.

SonicWall’s Four-Year Security Nightmare: A History of Exploitation (2021-2025)

To understand the Marquis breach, we need context: SonicWall has been a ransomware attacker’s favorite target for four years straight. This isn’t a one-off incident—it’s part of a systematic, ongoing exploitation of SonicWall products that has affected hundreds of organizations globally.

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure ItselfHow the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-dayBreached CompanyBreached Company

The Grim Statistics

  • 14 SonicWall CVEs on CISA’s Known Exploited Vulnerabilities (KEV) catalog since late 2021
  • 8 of those 14 confirmed used in ransomware campaigns
  • 4 actively exploited in 2025 alone (as of December 2025)
  • 20+ vulnerabilities publicly disclosed by SonicWall in 2025
  • Notably absent: SonicWall has NOT signed the Secure-by-Design pledge, unlike many competitors

Timeline of Major Incidents

2021: The Zero-Day Wake-Up Call

CVE-2021-20016 (SonicWall Email Security - SQL Injection)

  • Exploited as zero-day by UNC2447 threat group
  • Used to deploy FiveHands ransomware (variant of HelloKitty)
  • First detected: October 2020, disclosed publicly: early 2021
  • Also exploited in chain: CVE-2021-20021, CVE-2021-20022, CVE-2021-20023

CVE-2021-20035 (SMA 100 - Command Injection)

  • Authenticated OS command injection vulnerability
  • Re-exploited in 2025 campaign (see below)
  • CISA KEV addition: 2025

2022: Brief Respite, But Lurking Issues

CVE-2022-22274 (NGFW - Buffer Overflow)

  • Unauthenticated buffer overflow in web management
  • CVSS: 9.4 (Critical)
  • Could cause DoS or potentially RCE
  • Affected: Gen 6 and Gen 7 firewalls
  • Later discovered to be related to CVE-2023-0656

2023: Continued Pressure

CVE-2023-0656 (NGFW - Buffer Overflow)

  • Essentially the same vulnerability as CVE-2022-22274 on different URI path
  • Discovered by Bishop Fox researchers
  • 178,000+ devices vulnerable at time of disclosure
  • Shows pattern of incomplete patching

CVE-2023-44221 (SMA 100 - Command Injection)

  • Post-authentication OS command injection
  • Added to CISA KEV: July 2025
  • Exploited in the wild years after disclosure

2024: The Year of Akira

CVE-2024-40766 (SonicOS - Improper Access Control) - THE BIG ONE

  • Disclosed: August 22, 2024
  • CVSS: 9.3 (Critical)
  • Added to CISA KEV: September 10, 2024
  • Confirmed used in ransomware campaigns

The Exploitation Wave:

  • Akira and Fog ransomware began mass exploitation immediately
  • Arctic Wolf observed 30+ intrusions August-October 2024
  • Attackers stole VPN credentials and OTP seeds
  • Even patched systems remained vulnerable if credentials weren’t rotated
  • As of December 2024: 48,933 devices still unpatched (13% of exposed devices)

Unique persistence mechanism: Attackers who compromised systems before patching could maintain access indefinitely using stolen OTP seeds—meaning they could generate valid 2FA codes even after patches were applied. This required complete MFA re-enrollment, not just password resets.

CVE-2024-38475 (SMA 100 - Command Injection)

  • Post-authentication command injection
  • Added to CISA KEV: 2024
  • Part of ongoing SMA 100 targeting

CVE-2024-53704 (SonicOS SSL VPN - Authentication Bypass)

  • Disclosed: January 7, 2025 (but likely exploited earlier as zero-day)
  • CVSS: 9.8 (Critical)
  • Authentication bypass via improper cookie handling
  • Allows session hijacking without credentials
  • Added to CISA KEV: February 18, 2025
  • PoC published by Bishop Fox: February 2025
  • Active exploitation confirmed by Arctic Wolf

2025: The Crisis Continues

January 2025 - Nine Vulnerabilities in One Day

  • SonicWall released advisories for 9 vulnerabilities on January 7, 2025
  • Set the tone for a challenging year

CVE-2025-23006 (SMA 1000 - Deserialization)

  • Critical deserialization vulnerability
  • Remote, unauthenticated RCE
  • Disclosed: January 22, 2025
  • Added to CISA KEV: January 24, 2025
  • Known to be used in ransomware campaigns

July-August 2025 - The “Zero-Day” Confusion

  • Wave of attacks initially attributed to zero-day

  • Multiple security firms (Huntress, Arctic Wolf, Mandiant) reported attacks on fully patched systems with MFA enabled

  • SonicWall eventually attributed to CVE-2024-40766 (from 2024) Controversy: Security researchers believed it was new zero-day based on:

  • Fully patched systems compromised

  • MFA bypassed

  • Speed and sophistication of attacks

  • Likely explanation: Attackers using credentials stolen before patching + poor credential hygiene

Google TAG Discovery - Overstep Backdoor (May 2025)

  • Google Threat Intelligence Group discovered sophisticated backdoor on SMA 100 devices
  • “Overstep” malware designed for persistence
  • Linked to Abyss ransomware campaigns
  • Targets end-of-life SMA 100 series devices
  • Uses stolen administrator credentials for repeat attacks
  • Survives reboots and most removal attempts

May 2025 - Three More SMA 100 Vulnerabilities

  • CVE-2025-32819 (Arbitrary File Delete) - Believed exploited in the wild
  • CVE-2025-32820 (Privilege Escalation)
  • CVE-2025-32821 (RCE as root)
  • Can be chained for complete device compromise
  • Rapid7 discovered and disclosed
  • Patch released within 5 days (May 7, 2025)

July 2025 - Rootkit Campaign

  • CVE-2025-40599 (SMA - Authenticated File Upload)
  • Used to deploy rootkits on SMA 100 series
  • Google TAG and SonicWall PSIRT discovered
  • Urgent advisory issued
  • Special removal tool released

The Pattern: Why SonicWall Keeps Getting Hit

  • Legacy Products: Many exploited CVEs affect older SMA 100 series and Gen 6/7 firewalls still widely deployed
  • Incomplete Patches: Multiple instances of vulnerabilities being “fixed” but similar flaws existing elsewhere (CVE-2022-22274 / CVE-2023-0656)
  • Post-Patch Persistence: Vulnerabilities like CVE-2024-40766 allow attackers to maintain access even after patching if credentials aren’t properly rotated
  • End-of-Life Equipment: Many organizations continue running EOL devices without vendor support
  • Configuration Complexity: Proper hardening requires multiple steps beyond just patching (MFA, credential rotation, OTP re-enrollment, geo-blocking)
  • Widespread Deployment: SonicWall is used by hundreds of thousands of organizations worldwide, making it a high-value target
  • Ransomware-as-a-Service (RaaS) Focus: Groups like Akira, Fog, and Abyss have made SonicWall a core part of their affiliate playbooks

Industry Comparisons

For context, here’s how SonicWall compares to other VPN/firewall vendors on CISA’s KEV catalog:

  • Ivanti: 16 CVEs since January 2024 (worst performer)
  • SonicWall: 14 CVEs since late 2021 (second worst)
  • Fortinet: Multiple CVEs, but spread over longer timeframe
  • Palo Alto Networks: Fewer KEV entries, but recent critical issues
  • Cisco: Akira also targets Cisco devices, but less frequently appears on KEV

The August 2025 Marquis Context

When Marquis was breached in August 2025, they were operating in an environment where:

  • SonicWall was under active, sustained attack by multiple ransomware groups
  • At least 2-3 major vulnerabilities were being actively exploited
  • Security community was warning of potential zero-days
  • CISA had added multiple SonicWall CVEs to KEV in preceding months
  • Best practices required not just patching but complete credential overhauls

The fundamental question: Given this threat landscape, why was a financial services vendor handling data for 700+ banks still relying on SonicWall equipment, and why wasn’t it properly secured?

What This Means for the Industry

The SonicWall saga demonstrates:

  • Network devices are persistent targets: VPN/firewall vendors face sustained, sophisticated attacks
  • Patching alone is insufficient: Many exploits work even after patches via credential reuse
  • End-of-life is a security crisis: Unsupported devices are ticking time bombs
  • Security vendor trust must be earned: Vendors appearing repeatedly on KEV catalog should trigger vendor reviews
  • Third-party risk is infrastructure risk: When vendors use vulnerable equipment, customer data pays the price

The Unasked Question

Here’s what regulators and boards should be asking: When a security vendor appears 14 times on CISA’s Known Exploited Vulnerabilities catalog, with 8 instances confirmed in ransomware campaigns, at what point does using their products become negligence?

The Marquis breach may be a wake-up call that relying on repeatedly-compromised infrastructure creates unacceptable risk, especially for organizations handling sensitive financial data.

Related Reading: For a sobering example of how Akira ransomware can destroy an entire company, read our case study: The KNP Logistics Ransomware Attack: How One Weak Password Destroyed a 158-Year-Old Company. The attack put 730 employees out of work and ended 158 years of continuous operation—demonstrating the catastrophic real-world consequences of basic security failures.

The Akira Ransomware Connection (Speculation)

While no ransomware group has claimed responsibility for the Marquis attack, security researchers have noted similarities to known Akira ransomware tactics. This is speculation based on:

  • Attack patterns: Use of SonicWall vulnerabilities matches Akira’s known playbook
  • Timing: Aligns with documented Akira campaigns in 2024-2025
  • Techniques: VPN compromise, credential theft, rapid lateral movement
  • The alleged ransom payment: Akira typically operates double-extortion (encrypt + threaten to leak)

Arctic Wolf and other researchers documented Akira ransomware intrusions in 2024-2025 targeting SonicWall SSL VPNs with characteristics including:

  • Speed of execution: Some intrusions progressed from initial access to full encryption in as little as five hours
  • Opportunistic targeting: Rather than targeting specific industries, attacks appeared indiscriminate, suggesting mass exploitation
  • Post-patch persistence: Even after organizations patched CVE-2024-40766, attackers retained access using previously stolen credentials and OTP seeds

The Ransom Payment Controversy

One of the most intriguing aspects of this breach involves an alleged ransom payment. A now-deleted notification from Community 1st Credit Union reportedly stated:

“Marquis paid a ransomware shortly after 08/14/25. On 10/27/25 C1st was notified that nonpublic personal information related to C1st members was included in the Marquis breach.” This notification, which was viewed by security publication Comparitech before being removed, suggests that Marquis may have paid the attackers to prevent the stolen data from being published on the dark web. Marquis has not publicly addressed or confirmed these allegations.

The ransom payment debate: While paying ransoms is controversial and often discouraged by law enforcement, some organizations choose to pay when:

  • The cost of business disruption exceeds the ransom demand
  • Decryption keys are needed to restore operations quickly
  • There’s a promise (albeit unenforceable) that stolen data will be deleted
  • Reputational damage from data leaks could be catastrophic

As of early December 2025, no ransomware group has claimed responsibility for the attack, and the stolen data has not appeared on any known leak sites - potentially supporting the theory that a payment was made.

Marquis Response and Remediation

Following the breach, Marquis implemented several security enhancements, though security experts noted these should have been baseline protections:

Implemented Security Controls

  • Multi-Factor Authentication (MFA): Deployed across all access points
  • Account Lockout Policies: Implemented to prevent brute-force attacks
  • Geo-IP Filtering: Restricting access based on geographic location
  • Botnet IP Blocking: Preventing known malicious IP addresses from accessing systems
  • Enhanced Monitoring: Improved detection of suspicious network activity
  • Third-Party Cybersecurity Experts: Engaged leading forensic teams for investigation
  • Law Enforcement Notification: Reported the incident to federal authorities

Victim Support Services

Marquis is offering affected individuals:

  • Free credit monitoring (1-2 years)
  • Identity theft protection services through Epiq Privacy Solutions ID
  • Dedicated support for identity restoration if needed

Third-Party Risk: The Systemic Danger

The Marquis breach exemplifies a growing concern in financial services: third-party vendor concentration risk. As Noelle Murata, security engineer at Xcape, observed:

“Marquis is the most recent example of how third-party concentration poses a systemic danger to the financial services industry. A single mid-tier vendor sitting in the data flow of numerous banks can instantly create a blast radius on a national scale.”

Why Third-Party Vendors Are Prime Targets

  • Access to Multiple Organizations: A single breach provides access to data from dozens or hundreds of clients
  • Often Under-Secured: Vendors may not maintain the same security standards as the larger institutions they serve
  • Trusted Relationships: Once inside a vendor’s network, attackers have legitimate-looking access to client systems
  • Regulatory Arbitrage: Smaller vendors may not face the same rigorous oversight as banks themselves

Recent Comparable Incidents

The Marquis breach follows a troubling pattern of third-party vendor compromises in financial services and beyond:

  • MOVEit Transfer (2023): Exploited by Cl0p ransomware, affecting hundreds of organizations and stealing 60+ million records
  • Flagstar Bank/Fiserv (2022): Third-party vendor breach exposed 1.5 million customers
  • FINRA/ION Markets (2023): Ransomware attack disrupted critical trading infrastructure
  • Salesforce/ShinyHunters Campaign (2025): Third-party social engineering affected Allianz Life, Air France-KLM, Cisco, and others
  • Salesloft Drift Breach (2025): Supply chain attack impacting Palo Alto Networks, Zscaler, Google, Cloudflare, and other security giants

For more context on the Akira ransomware group’s broader campaign, see our analysis: The Ransomware-as-a-Service Ecosystem in Late 2025, which details how Akira has claimed approximately $244 million in ransomware proceeds and emerged as one of the fastest-moving threat groups in the current landscape.

Expert Analysis: What Went Wrong

The Patch Management Failure

John Carberry, solution sleuth at Xcape Inc., noted that Marquis’s remediation efforts suggest a VPN account compromise rather than an internal breach.

If CVE-2024-40766 was used: SonicWall released patches in August 2024 - a full year before the August 2025 Marquis breach. This would represent catastrophic patch management failure.

If CVE-2024-53704 was used: This wasn’t disclosed until January 2025, meaning it may have been exploited as a zero-day in August 2025 - but even then, Marquis should have been monitoring threat intelligence about SonicWall’s ongoing security issues.

Regardless of which vulnerability, SonicWall’s advisory warned organizations to:

  • Apply patches immediately
  • Reset all VPN credentials after patching
  • Enable MFA on all accounts

The critical second step - credential rotation - is often overlooked, allowing attackers to maintain access even on patched systems using previously stolen credentials.

Basic Security Hygiene Failures

Security experts were particularly critical of the security controls Marquis implemented after the breach, suggesting these should have been in place beforehand:

Murata from Xcape stated: “These are all controls that should have been in place before a zero-day was a factor. A zero-day gets attackers in the door, but basic security hygiene determines how far they can go once inside.”

The remediation list reads like a basic security checklist:

  • MFA on all accounts
  • Account lockout policies
  • Geo-blocking
  • Botnet filtering

The absence of these controls before the breach suggests significant security program maturity gaps.

The Broader SonicWall Exploitation Campaign

The Marquis breach occurred during and after a surge in attacks targeting SonicWall devices that began in 2024 and continued into 2025:

2024 Wave

  • Akira and Fog ransomware began exploiting CVE-2024-40766 in late 2024
  • Targets across healthcare, education, manufacturing, and financial services
  • Geographic spread across North America, Europe, and Australia
  • Exploitation progressing at unprecedented speed (5 hours in some cases)

Still Vulnerable in 2024

As of December 2024, security researchers estimated that 48,933 SonicWall devices globally remained vulnerable to CVE-2024-40766 - representing 13% of all publicly exposed SonicWall appliances.

Poor remediation was particularly noted in:

  • Several Asian countries
  • Organizations that applied patches but failed to rotate credentials
  • Smaller organizations without dedicated security teams

2025: New Exploitation Wave

In late July 2025, security teams observed a resurgence in Akira ransomware activity targeting SonicWall devices, now focusing on fully-patched systems by exploiting:

  • Credential reuse: Using stolen credentials from earlier breaches
  • MFA bypass: Leveraging stolen OTP seeds to generate valid authentication tokens
  • Configuration weaknesses: Exploiting default settings and excessive permissions

State Attorney General Investigations

Multiple law firms have announced investigations into the Marquis breach:

  • Schubert Jonckheer & Kolbe LLP: Investigating data protection practices
  • Wolf Haldenstein Adler Freeman & Herz LLP: Examining potential claims for affected individuals
  • Focus areas: Whether Marquis maintained adequate security measures and responded appropriately to the breach

Regulatory Considerations

Financial institutions affected by the breach face several regulatory concerns:

  • GLBA Compliance: The Gramm-Leach-Bliley Act requires financial institutions to protect customer information
  • State Data Breach Notification Laws: Vary by state but generally require timely notification
  • Third-Party Risk Management: Regulators increasingly scrutinize vendor risk management programs
  • Examination Findings: FFIEC guidance on third-party risk management may result in examination citations

CISA Response

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-40766 to its Known Exploited Vulnerabilities (KEV) Catalog on September 10, 2024, mandating that federal organizations patch by September 30, 2024.

The Marquis breach occurred in August 2025 - approximately one year after the vulnerability was first disclosed and added to the KEV catalog, highlighting how organizations can remain vulnerable long after patches become available.

Lessons Learned and Recommendations

For Financial Institutions

Vendor Risk Management

  • Conduct thorough security assessments of all third-party vendors
  • Require evidence of security certifications (SOC 2, ISO 27001)
  • Include security requirements in vendor contracts
  • Monitor vendor security posture continuously, not just during onboarding

Data Minimization

  • Only share data with vendors that is absolutely necessary for services
  • Implement data retention policies that limit exposure window
  • Consider data anonymization or pseudonymization where possible

Incident Response Planning

  • Develop specific playbooks for third-party vendor breaches
  • Establish clear communication protocols with vendors
  • Conduct regular tabletop exercises including vendor compromise scenarios

Regulatory Compliance

  • Ensure vendor management programs meet FFIEC guidance
  • Document due diligence efforts for examiner review
  • Maintain vendor inventory with risk ratings

For Third-Party Vendors

Baseline Security Controls

  • Implement MFA on all access points (not just after a breach)
  • Deploy EDR/XDR solutions with 24/7 monitoring
  • Maintain current patch management program with testing protocols
  • Implement network segmentation to limit lateral movement

Vulnerability Management

  • Subscribe to vendor security advisories
  • Prioritize patching of internet-facing systems (VPN, firewalls, etc.)
  • Always rotate credentials after patching authentication-related vulnerabilities
  • Conduct regular vulnerability scanning and penetration testing

Zero Trust Architecture

  • Implement least privilege access controls
  • Continuously verify user and device trust
  • Assume breach and limit blast radius
  • Monitor all access with behavioral analytics

Transparency and Communication

  • Maintain clear incident response communication protocols with clients
  • Provide regular security posture reports to customers
  • Don’t wait weeks or months to notify affected parties
  • Be transparent about security investments and certifications

For Affected Individuals

If you’re a customer of one of the 74 affected financial institutions:

Immediate Actions

  • Enroll in the free credit monitoring offered by Marquis
  • Place fraud alerts with all three credit bureaus (Equifax, Experian, TransUnion)
  • Consider a credit freeze for maximum protection
  • Review all financial accounts for unauthorized activity

Ongoing Vigilance

  • Monitor credit reports regularly (free weekly reports available at AnnualCreditReport.com)
  • Be alert for phishing attempts leveraging stolen information
  • Consider identity theft protection insurance
  • File taxes early to prevent tax refund fraud

Documentation

  • Keep copies of all breach notifications
  • Document any suspicious activity or identity theft attempts
  • Maintain records of time spent responding to the breach (potentially recoverable)

The Future: Will This Keep Happening?

Unfortunately, third-party vendor breaches are likely to continue and potentially accelerate:

Contributing Factors

  • Increasing Vendor Concentration: As banks consolidate and adopt cloud services, fewer vendors serve more institutions
  • Sophisticated Attackers: Ransomware-as-a-Service (RaaS) models make advanced attacks accessible to less-skilled criminals
  • Vulnerability Disclosure Timing: The window between vulnerability disclosure and widespread exploitation is shrinking
  • Patch Fatigue: Security teams face an overwhelming volume of vulnerabilities to assess and remediate
  • Remote Work Expansion: VPN and remote access technologies create expanded attack surfaces

Potential Solutions

  • Regulatory Action: Enhanced oversight of third-party vendors serving financial institutions
  • Information Sharing: Better threat intelligence sharing within the financial sector (ISACs)
  • Cyber Insurance Requirements: Market pressure forcing improved security baselines
  • Supply Chain Security Standards: Industry-wide adoption of security frameworks
  • AI-Powered Defense: Advanced behavioral detection to identify compromises faster

Conclusion: A Wake-Up Call for Financial Services

The Marquis Software Solutions breach serves as a stark reminder that in our interconnected financial ecosystem, an organization’s security is only as strong as its weakest third-party vendor. With nearly 800,000 individuals affected across 74+ financial institutions, the attack demonstrates how a single vendor compromise can create cascading risks throughout the sector.

Several key takeaways emerge:

  • Basic security hygiene matters: MFA, proper patch management, and credential rotation could have prevented or mitigated this breach
  • Third-party risk is enterprise risk: Financial institutions must treat vendor security with the same rigor as their own
  • Speed is critical: The window between vulnerability disclosure and exploitation is measured in days or weeks, not months
  • Transparency builds trust: Organizations that communicate clearly and quickly during breaches fare better than those that delay or obscure

As Piyush Pandey, CEO of Pathlock, observed: “The Marquis incident reflects the broader trend of cybercriminals exploiting third-party vulnerabilities to target major organizations, necessitating a more comprehensive and proactive approach to supply chain security.”

For financial services CISOs and security leaders, the question isn’t whether your third-party vendors will be targeted - it’s whether they’ll be able to withstand the attack when it comes. The time to assess and shore up vendor security postures is now, before the next Marquis-scale breach occurs.

Additional Resources

Akira Ransomware Analysis:

Third-Party & Supply Chain Attacks:

2025 Threat Landscape:

Analysis conducted December 2025. Information compiled from public breach notifications, security vendor advisories, and investigative reporting. Victims should follow official guidance from their financial institutions and consider consulting with legal counsel regarding their rights.