Two US community banks have issued urgent notifications to tens of thousands of customers after a cyberattack on a shared third-party vendor exposed sensitive personal information, underscoring the growing risks posed by supply-chain vulnerabilities in the financial sector.
According to regulatory filings submitted to the Office of the Maine Attorney General, the breach is linked to Marquis Software Solutions, a Texas-based firm that provides customer-data management, marketing and regulatory-compliance software to banks, credit unions and correctional institutions across the United States.
The incident highlights a critical reality facing modern banking: even when a bank’s internal systems remain secure, outsourced vendors can become weak entry points for attackers.
Artisans’ Bank Confirms 32,344 Customers Impacted
Delaware-based Artisans’ Bank disclosed that 32,344 customers may have been affected by the breach.
In a filing with regulators, the bank stated that an “unauthorised third party” gained access to data stored within Marquis’ systems, potentially exposing names and Social Security numbers.
A timeline submitted to authorities indicates that the intrusion may have begun as early as August 14, 2025, although Artisans’ Bank said it became aware of the exposure only after Marquis completed its internal investigation.
“Artisans’ learned that a third-party vendor, Marquis Software Solutions, had determined that an unauthorized third party had gained access to personal information on Marquis systems… Artisans’ only recently learned that their customer information may have been impacted,” the filing said.
The bank emphasised that its own core banking systems were not breached.
VeraBank Says 37,318 Customers Also Affected
A separate disclosure revealed that VeraBank, headquartered in Texas, was also impacted by the same incident.
VeraBank reported that 37,318 customers may have had personal information exposed, including names and other sensitive identifiers. Like Artisans’, VeraBank clarified that the cyberattack was confined to the vendor’s environment and did not involve direct intrusion into its internal systems.
Together, the two disclosures account for 69,662 potentially affected customers.
What Data Was Exposed — And What Customers Are Being Told
Both banks have warned that high-risk personal identifiers, including Social Security numbers, may have been accessed.
Affected customers are being notified directly and are expected to receive credit-monitoring and identity-protection services, along with guidance on precautionary steps such as:
- Monitoring bank and credit-card statements
- Placing fraud alerts or credit freezes with credit bureaus
- Remaining alert to phishing calls, emails or messages impersonating banks
Authorities have not yet disclosed whether the stolen data has appeared on underground forums or been offered for sale online.
Third-Party Risk Rising Across the Financial Sector
Cybersecurity experts say the case reflects a wider industry trend.
While banks have invested heavily in encryption, real-time monitoring and layered security, attackers are increasingly bypassing hardened institutions by targeting vendors that store or process customer data but may not operate under equally stringent controls.
Regulators in the US and other jurisdictions have repeatedly urged financial institutions to:
- Conduct deeper security audits of vendors
- Define breach-notification and liability responsibilities clearly
- Treat third-party cyber risk as a core governance issue
Vendor Says Investigation Is Ongoing
Marquis Software Solutions has not publicly detailed how the attacker gained access to its systems. The company has stated that it is cooperating with law enforcement agencies and has taken steps to secure affected infrastructure while notifying impacted clients.
For customers, however, the implications are long-term. Once Social Security numbers and identity data are exposed, they can be misused for years in fraud, impersonation and synthetic-identity crimes.
Bottom Line
The twin disclosures send a clear message to banks and consumers alike:
Even if your bank is secure, your data may still be vulnerable somewhere else in the digital supply chain.
As investigations continue, both Artisans’ Bank and VeraBank say they will provide further updates and have urged customers to remain vigilant for suspicious activity.
