Marquis Software Solutions has confirmed a ransomware breach that exposed data from 74 banks and credit unions across the United States. Marquis provides analytics, CRM tooling, and compliance reporting to more than 700 financial institutions. That scale turned one compromise into a nationwide spill of names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, dates of birth, and financial account data without access codes.
The intrusion happened on August 14 2025. Attackers entered through a SonicWall firewall and stole files before deploying ransomware. Marquis says there is no evidence of misuse but deleted breach filings from one credit union claimed Marquis paid a ransom. When ransom payments appear, it usually means the attackers stole data and threatened to leak it.
Notifications filed in Maine, Iowa, and Texas confirm that more than 400,000 people are affected. The list of impacted institutions spans 74 banks and credit unions, including Suncoast Credit Union, Capital City Bank Group, NIH Federal Credit Union, Generations Federal Credit Union, and dozens more. The breadth of the list comes from Marquis acting as a silent data processor for institutions that never expected to rely on its security.
The SonicWall Vulnerability
SonicWall firewalls and VPN appliances have been a known target for ransomware groups. The Akira gang has been exploiting SonicWall devices since 2024 by abusing CVE-2024-40766. That flaw let attackers steal usernames, passwords, and even one time passcode seeds from vulnerable SSL VPN portals. Even after patches landed, many organisations failed to rotate credentials. Attackers kept logging in with old secrets and walked through MFA because the seeds were already stolen.
How the Attack Unfolded
Once inside, the workflow was predictable. Scan the network. Escalate privileges. Exfiltrate data. Deploy ransomware. Marquis' own remediation steps confirm this path. They patched firewall devices, rotated local passwords, removed unused accounts, enabled MFA everywhere, raised logging retention, enforced account lockouts, added geo IP filtering, and blocked command and control traffic. These steps map cleanly to an attack that began with stolen or reused SonicWall VPN credentials.
Vendor breaches keep multiplying because institutions outsource essential functions to companies that cut corners. One SonicWall misconfiguration created a cascade failure that hit 74 banks at once. People trust banks to protect their data. Many would never guess that a third party they have never heard of is holding their most sensitive identifiers on a server that depends on a firewall known to be actively exploited.
Centralised data handling makes life easier for administrators and infinitely easier for attackers. One breach delivers a lifetime supply of personal identifiers. Marquis is another example of that simple truth.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
Why was Marquis targeted
Ransomware groups focus on vendors that hold large amounts of sensitive data for many clients because one breach produces massive leverage.
How did attackers enter the Marquis network
They broke in through a SonicWall firewall using previously stolen VPN credentials obtained during earlier exploitation of CVE-2024-40766.
What data was exposed in the breach
Names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, dates of birth, and financial account data without access codes.
Did Marquis pay a ransom
A deleted credit union filing claimed a ransom was paid though Marquis has not confirmed it publicly.
Which banks and credit unions were affected
Notifications list 74 institutions across the US including Suncoast Credit Union, NIH Federal Credit Union, Generations Federal Credit Union and many others.