Marquis Data Breach Exposes Sensitive Information From 74 US Banks And Credit Unions

The Marquis data breach is an extensive cybersecurity incident in which a ransomware attack on Marquis Software Solutions led to the exposure of personal information belonging to customers of at least seventy four financial institutions across the United States. Marquis Software Solutions provides data analytics, CRM solutions, compliance reporting, and marketing services to more than seven hundred banks, credit unions, and mortgage lenders. According to regulatory filings submitted to multiple Attorney General offices, the attack occurred on August 14, 2025, and resulted in unauthorized access to highly sensitive customer information including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, dates of birth, and financial account data without access codes.

The threat actor responsible for the Marquis data breach exploited a SonicWall firewall to gain initial access to Marquis servers. This vulnerability allowed the attacker to retrieve files containing customer information maintained on behalf of numerous banks and credit unions. The Marquis data breach also appears to align with previous ransomware campaigns that leveraged SonicWall VPN weaknesses, particularly those associated with credential harvesting and OTP seed exposure. Although Marquis has not publicly confirmed the identity of the ransomware group, multiple regulatory filings reference a ransom payment, suggesting that negotiations may have occurred and that stolen data may have been used to pressure the company into payment.

The scope of the Marquis data breach is significant. Notifications submitted to state regulators indicate that more than four hundred thousand individuals may be impacted across seventy four financial institutions, including credit unions, community banks, regional banks, and mortgage service providers. Marquis has begun sending notifications on behalf of affected institutions and is providing identity protection services through Epiq. While Marquis states that it has no evidence that compromised information has been misused or publicly leaked, the nature of the exposed fields makes the incident a substantial privacy and financial risk for affected individuals.

Background Of The Marquis Data Breach

Marquis Software Solutions is headquartered in Plano, Texas, and functions as a major vendor supporting digital marketing, analytics, compliance, and communication infrastructure for banks and credit unions. Financial institutions regularly transmit sensitive customer datasets to Marquis for the purpose of targeted outreach, risk analysis, regulatory reporting, and loan management. As a result, vendors such as Marquis often store large volumes of personally identifiable information in centralized systems. This creates an attractive target for ransomware actors seeking to profit from bulk financial data.

The Marquis data breach began on August 14, 2025, when Marquis detected suspicious behavior inside its internal network. Soon after, investigators determined that the incident involved unauthorized access through a SonicWall VPN appliance. SonicWall devices have been repeatedly exploited by ransomware operators in recent years due to flaws that allow attackers to capture usernames, passwords, and one time passcode seeds. After accessing the Marquis network, the attacker moved laterally, escalated privileges, and copied files containing personal information originating from numerous banks and credit unions that use Marquis services.

Notifications filed with state regulators include detailed explanations of how investigators reviewed exfiltrated files to determine the number of impacted individuals. Marquis confirmed that it maintains customer information from its clients in discrete datasets, which allowed investigators to identify which customers were affected and which fields were exposed. Regulators in Maine, Iowa, Texas, and other states have published filings confirming that the Marquis data breach exposed sensitive information belonging to a wide range of institutions, including community credit unions, regional banks, and cooperative financial organizations.

Regulatory paperwork submitted by law firms representing Marquis indicates that the company acted quickly upon discovering the breach. Marquis isolated affected systems, engaged external cybersecurity firms, notified federal law enforcement, and began an internal review of affected datasets. However, filings also show that notifications did not begin until late October 2025, more than two months after the breach occurred. This delay was attributed to the time required to analyze files, identify individuals, and coordinate with client institutions that own the impacted customer information.

Scope Of Information Exposed In The Marquis Data Breach

Because Marquis serves hundreds of financial institutions, the range of information exposed in the Marquis data breach is broad. Regulators confirm that the following data categories may have been included for affected customers:

• Full legal names
• Home and mailing addresses
• Phone numbers
• Email addresses
• Dates of birth
• Social Security numbers
• Taxpayer Identification Numbers
• Financial account information without PINs or access codes
• Customer identifiers specific to individual institutions
• Internal CRM data fields used for outreach and compliance

These fields collectively represent nearly everything necessary to commit identity theft, create synthetic identities, conduct targeted phishing, or attempt unauthorized financial activity. While financial account numbers exposed in the Marquis data breach reportedly did not include security codes or passwords, the presence of Social Security numbers, dates of birth, and tax identifiers significantly increases the risk of fraud. Attackers who obtain these datasets commonly use them to open new accounts, file fraudulent tax returns, submit unauthorized credit applications, or craft convincing phishing attacks.

Notifications filed by individual credit unions indicate that some impacted data may predate 2020, suggesting that the Marquis data breach included archived datasets maintained for long term marketing or regulatory purposes. Organizations that outsource data management to external vendors often retain older datasets to support analytics and compliance workflows, increasing the volume of information exposed during vendor level breaches.

Financial Institutions Impacted By The Marquis Data Breach

Regulatory filings confirm that seventy four institutions were affected by the Marquis data breach. These include credit unions, national banks, state chartered banks, and cooperative financial institutions. Examples include:

• 1st Northern California Credit Union
• Advantage Federal Credit Union
• BayFirst National Bank
• Bellwether Community Credit Union
• Community 1st Credit Union
• Discovery Federal Credit Union
• Energy Capital Credit Union
• Gateway First Bank
• Generations Federal Credit Union
• Interior Federal Credit Union
• Kemba Financial Credit Union
• Michigan First Credit Union
• Pasadena Federal Credit Union
• Texoma Community Credit Union
• University Credit Union
• Whitefish Credit Union

Because the Marquis data breach involves a vendor handling data from hundreds of institutions, additional organizations may still be reviewing whether their customers were impacted. Marquis continues to coordinate with client institutions on notification requirements, which vary depending on state law and the type of data exposed.

Risks Created By The Marquis Data Breach

The Marquis data breach creates substantial risks for affected individuals, as well as systemic cybersecurity risks for banks, credit unions, and the broader financial sector. These include fraud, identity theft, regulatory compliance issues, reputational harm, and increased exposure to future attacks. Because the compromised data originated from many institutions, the Marquis data breach has cascading implications across the national financial ecosystem.

Identity Theft And Financial Fraud

The most immediate risk created by the Marquis data breach is identity theft. Stolen Social Security numbers, Taxpayer Identification Numbers, and dates of birth provide attackers with all the information needed to impersonate victims. Attackers may use exposed data to open fraudulent credit accounts, apply for loans, file tax returns, or take advantage of outdated identity verification processes used by some financial institutions.

Targeted Phishing And Social Engineering

Attackers who possess complete customer records can craft highly convincing phishing messages. These messages may reference real financial institutions, accurate personal data, or past transactions. The Marquis data breach therefore increases the risk that victims will receive fraudulent communications appearing to originate from their bank or credit union.

Exposure Of Vulnerable Populations

The Marquis data breach affects customers across multiple states and includes sensitive data for vulnerable populations including elderly banking customers, credit union members, and individuals with limited access to digital literacy resources. Because these populations are less equipped to recognize fraud, the breach presents a heightened risk of exploitation.

Regulatory And Compliance Impact

Financial institutions are required to maintain strict controls over customer information under GLBA, FFIEC guidelines, state data protection laws, and NCUA regulations. The Marquis data breach places affected institutions at risk of regulatory inquiry, particularly if investigators determine that outsourced data was not adequately protected. Vendor management has become a major focus of financial regulators, and the Marquis data breach may prompt institutions to reassess their third party risk programs.

Reputational Damage

Large scale vendor breaches often lead to consumer distrust and reputational harm. Even though individual banks and credit unions were not directly attacked, the Marquis data breach affects their customers and may result in negative public perception, canceled memberships, or loss of confidence

How Attackers Accessed Marquis Systems

Regulatory filings and cybersecurity analyses strongly suggest that the Marquis data breach originated from exploitation of a SonicWall VPN vulnerability. SonicWall devices have been widely targeted by ransomware groups, particularly during campaigns exploiting authentication flaws that allowed attackers to extract usernames, passwords, and multifactor authentication seeds. Attackers then used this information to authenticate into VPN portals without triggering MFA alerts.

After gaining access to the Marquis environment, the attacker likely performed reconnaissance, scanned internal networks, escalated Windows Active Directory privileges, and located shared directories containing customer datasets. Consistent with modern ransomware tactics, the attacker exfiltrated files prior to or in lieu of encrypting systems. Some filings reference ransom payments, suggesting the attacker may have threatened to leak data if demands were not met.

Mitigation Measures Taken After The Marquis Data Breach

Marquis details a significant number of security enhancements implemented following the Marquis data breach. These include:

• Patching all SonicWall firewall devices
• Resetting all local and administrative passwords
• Removing unused accounts
• Enforcing MFA across all VPN and firewall accounts
• Increasing logging retention for firewall activity
• Implementing account lockout policies for repeated failed login attempts
• Applying geo IP restrictions to limit foreign access
• Blocking communication with known botnet command and control servers

These measures indicate that the Marquis data breach was likely caused by credential compromise, which allowed the attacker to authenticate legitimately into the network. Enhanced VPN controls and credential rotation are common responses to breaches involving SonicWall vulnerabilities.

Recommended Actions For Impacted Individuals

Individuals affected by the Marquis data breach should take proactive steps to reduce the risk of identity theft and financial fraud. Recommended actions include:

• Monitor financial accounts for unauthorized charges
• Review bank and credit union statements regularly
• Place fraud alerts on credit files
• Consider placing a security freeze with major credit bureaus
• Use identity monitoring tools included with Epiq services
• Watch for phishing emails referencing financial institutions
• Run malware scans using tools such as Malwarebytes

Because the Marquis data breach involves Social Security numbers and other permanent identifiers, affected individuals may face long term monitoring requirements. Unlike passwords, Social Security numbers cannot be replaced easily, meaning victims remain at heightened risk for extended periods.

Ongoing Investigations And Future Implications

While Marquis states that it has no evidence of misuse, the large volume of data exposed in the Marquis data breach and the attacker’s access method raise concerns about whether additional institutions may be affected or whether similar SonicWall vulnerabilities remain exploitable elsewhere. The financial sector relies heavily on third party vendors, and the Marquis data breach highlights the systemic risks introduced when attackers compromise vendor infrastructure handling multi institution datasets.