A severe cybersecurity incident has rattled the U.S. banking and credit union ecosystem. Marquis Software Solutions an established provider of financial data analytics, CRM tools, and marketing services has confirmed that a ransomware attack on its network has compromised sensitive information belonging to customers of 74 banks and credit unions across the United States. Early estimates indicate that the breach has put the personal details of more than 400,000 consumers at risk.
Breach Originated Through SonicWall Firewall Vulnerability
According to breach notifications submitted to various U.S. Attorney General offices, the intrusion took place on August 14, 2025, when attackers penetrated the Marquis network via a SonicWall firewall. This access enabled cybercriminals to extract multiple files containing confidential financial and personal data.
The stolen documents reportedly included names, addresses, phone numbers, dates of birth, Social Security Numbers, Taxpayer Identification Numbers, and bank account details (excluding access codes)—data originally provided by Marquis’ financial clients.
Notifications Filed on Behalf of Affected Institutions
Marquis has been submitting breach notifications on behalf of its banking partners across states including Maine, Iowa, and Texas. A total of 74 banks and credit unions have been affected, among them:
- 1st Northern California Credit Union
- Gesa Credit Union
- Florida Credit Union
- Suncoast Credit Union
- Liberty First Credit Union
- Thomaston Savings Bank
- Dozens of other regional and national institutions
This marks one of the most widespread third-party breaches impacting U.S. financial institutions in recent years, raising critical questions about the security posture of vendors that serve more than 700 banking organizations.
Ransom Payment Alleged, but Marquis Maintains Silence
While Marquis has stated there is “no evidence of data misuse or external publication,” a now-deleted notification filed by Community 1st Credit Union suggests the company paid a ransom shortly after the attack in an attempt to prevent the leaked data from being exposed. The removed filing reportedly stated:
“Marquis paid a ransom shortly after 08/14/25. On 10/27/25, C1st was notified that nonpublic personal information of its members was included in the breach.”
Cybersecurity experts view the alleged ransom payment as alarming, emphasizing that such actions tend to embolden threat actors and fuel further attacks across industries.
Akira Ransomware Gang Suspected; SonicWall Weakness a Key Vector
Marquis has not publicly disclosed the identity of the attackers, but cybersecurity analysts believe the incident aligns with the techniques associated with the Akira ransomware gang.
Akira has been exploiting SonicWall SSL VPN systems since 2024, particularly via the CVE-2024-40766 vulnerability. This flaw enabled attackers to steal VPN credentials, including one-time password seeds—allowing them to bypass MFA and maintain persistent access even after organizations applied patches.
Once inside networks, Akira typically conducts rapid reconnaissance, escalates privileges within Windows Active Directory, steals sensitive data, and deploys ransomware payloads.
Marquis Implements Extensive Post-Breach Security Measures
According to a filing from CoVantage Credit Union with the New Hampshire Attorney General, Marquis has undertaken several major remediation steps:
- Full patching and updating of all firewall devices
- Rotation of all local account passwords
- Removal of outdated or unused accounts
- Mandatory MFA for all firewall and VPN access
- Extended logging retention for firewall devices
- VPN lock-out policies for repeated failed login attempts
- Geo-IP filtering to restrict access to business-critical regions
- Automated blocking of known botnet command-and-control connections
These measures indicate that attackers likely leveraged compromised SonicWall VPN credentials to infiltrate the Marquis environment.
A Warning Shot for the U.S. Financial Infrastructure
- Rising Risks of Third-Party and Supply-Chain Attacks: Service providers like Marquis hold large volumes of sensitive data from hundreds of institutions. A single breach can cascade across the entire financial ecosystem.
- Persistent Exploitation of SonicWall Vulnerabilities: Even after patches are issued, failure to reset passwords and regenerate OTP seeds continues to provide attackers with access points.
- “No Evidence of Misuse” Often Misleading: Threat actors can sit on stolen data for months. Absence of immediate misuse does not eliminate long-term risk.
- The Ethical Dilemma of Ransom Payments: If Marquis indeed paid a ransom, it raises critical concerns: such payments validate criminal business models and increase future threats.
