Advisory: Marquis Software Solutions Reported Data Breach

Financial software vendor Marquis Software Solutions has disclosed a ransomware-driven data breach that exposed customer data belonging to dozens of U.S. banks and credit unions. Marquis, which serves more than 700 financial institutions with analytics, CRM, compliance reporting, and digital marketing tools, says attackers accessed its network on August 14, 2025 through a SonicWall firewall and copied certain files from its systems.

Regulatory notifications filed with multiple state attorneys general indicate the stolen files contained personal information supplied by Marquis’ banking and credit-union clients. Impacted data may include names, addresses, phone numbers, Social Security numbers or taxpayer IDs, dates of birth, and some financial account information (not including access codes). Marquis is submitting breach notices on behalf of affected institutions and, in some states, is providing estimated counts of impacted customers. Early filings suggest the incident affects more than 400,000 individuals nationwide.

Marquis says it has not found evidence that the data has been misused or publicly posted so far. A previously reported, now-deleted customer filing viewed by journalists claimed Marquis paid a ransom after the attack, typically done to prevent data leaks, though Marquis itself has not confirmed this.

In a separate state filing, one client shared additional detail on Marquis’ remediation steps. These include fully patching firewall devices, rotating and pruning local/VPN accounts, enforcing MFA on firewall and VPN logins, extending firewall log retention, tightening VPN lockout rules, applying geo-IP access restrictions, and auto-blocking known botnet command-and-control traffic. The scope of these changes suggests the attackers likely gained entry through a SonicWall SSL-VPN account.

The incident also fits a broader pattern: the Akira ransomware group and similar actors have repeatedly targeted SonicWall SSL-VPN appliances since 2024, including by exploiting CVE-2024-40766 to steal VPN credentials and one-time-password seeds. Even after patches were released, many organizations remained vulnerable due to unchanged credentials, and reports indicate attackers may still be logging in using previously captured secrets, even where MFA is enabled.

A list of potential organizations impacted is listed on the Bleeping Computer’s site and can viewed at https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/.

Reference:
https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/

*12/5 UPDATE

As covered in our prior update, Marquis Software Solutions, a third-party marketing/CRM and communications vendor used by hundreds of U.S. banks and credit unions, confirmed a ransomware-related incident that began August 14, 2025.

Even though Marquis has stated there is no evidence the data has been misused or published, the exposure of high-value identity data and the incident itself create a perfect storm for follow-up social engineering campaigns. Impacted data may include names, addresses, phone numbers, Social Security numbers or taxpayer IDs, dates of birth, and some financial account information (not including access codes).

DefenseStorm has already received reports of breach-themed phishing attempting to capitalize on the Marquis incident.

So far, we’ve received reports of the following techniques being observed:

•    Impersonated breach notifications that reference Marquis or a “recent data breach.”

•    Claims that a checking or deposit account was affected and will be locked / restricted unless the recipient takes immediate action.

•    Instructions to click a URL and re-enter personal or banking information, sometimes framed as a “verification step.”

•    Promises that the recipient will receive a “confirmation code” after submitting information, language that mirrors multi-factor authentication workflows to increase credibility.

These characteristics align with well-documented fraud playbooks used after large third-party breaches, where attackers exploit public awareness and uncertainty during the post-notification “fear window.”

Treat Marquis/breach-related outreach as suspicious if it includes any of the following:

•    Urgency or threat language (“act now or your account will be locked”)

•    Links, QR codes, or short URLs requesting login, SSN, DOB, or full personal details

•    Requests for one-time passcodes / “confirmation codes”

•    Instructions to move money or “secure funds”

•    Sender domains not owned by the FI

A legitimate breach notice may offer credit monitoring, but it will not demand immediate action to prevent account closure or require credentials through a link.

DefenseStorm Recommendations:

•    Do not click unknown links or scan QR codes.

•    If you receive a breach-themed message or are called by someone claiming to represent an involved party, go directly to the FI website or call a trusted number.

•    Enroll in credit monitoring only through verified FI/vendor channels.

•    Turn on alerts and review activity.

•    If a user already entered info into a suspicious site: change passwords immediately and notify the FI.

This is not an all-inclusive list. If anything related to a breach notification, or any unexpected communication, feels off, don’t engage with the actor. If it appears to be from a trusted source, call them back using a verified, trusted channel.