The Marquis Software Data Breach: What It Means For Banks, Credit Unions, And Their Customers

U.S. regulators and media outlets confirmed a major data breach at Marquis Software Solutions, a Texas based vendor that works with hundreds of community banks and credit unions across the country. Around the same time, financial software provider Marquis itself began warning that the incident had exposed data tied to dozens of banks and credit unions in the United States.

Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over +700 banks, credit unions, and mortgage lenders. To deliver these services, Marquis stores and processes large sets of customer information on behalf of its clients.

When ransomware actors reached the systems that hold this data, they did not just hit one bank. They broke into a shared vendor that sits in the middle of the community banking ecosystem. As a result, a single compromise has turned into an industry wide problem that now touches many smaller institutions at once.

SOCRadar’s Supply Chain Intelligence, Third-Party Companies

Who Is Marquis Software Solutions?

Marquis Software Solutions provides marketing, analytics, and compliance software to financial institutions. Public filings and press reports say the company works with more than 700 banks, credit unions, and mortgage lenders across the United States.

These services often rely on rich customer data. That means Marquis holds names, contact information, account details, and in many cases Social Security numbers for customers of its client institutions. When an attacker reaches a vendor like this, they do not hit one bank. They hit a data hub.

What Happened: A Ransomware Attack Via SonicWall

According to data breach notices filed with several state attorneys general, Marquis suffered a ransomware attack on 14 August 2025. An investigation later found that attackers got into Marquis systems through a SonicWall firewall used for remote access.

Key points from the public reports:

• Attack date: 14 August 2025.
• Attack type: Ransomware, with data theft before any encryption.
• Initial access: Through a SonicWall firewall and its VPN features.
• Impacted environment: Systems that stored files with customer data from many banks and credit unions.

BleepingComputer points out the recent SonicWall VPN attacks of the Akira Ransomware, which has a known pattern of using vulnerability CVE-2024-40766 to steal VPN credentials. The public reports do not name the group that attacked Marquis, but the attack path matches this trend.

Dark Web Profile: Akira Ransomware

Scope Of The Breach: Dozens Of Institutions, Hundreds Of Thousands Of People

The breach did not affect one bank alone. Marquis acts as a shared service provider, so the same attack hits data from many institutions at once.

How many banks and credit unions?

Notifications filed in Maine, and Iowa list over 400,000 people across 74 affected banks and credit unions so far.

The list includes community banks and credit unions across the country. Examples range from Maine State Credit Union and Capital City Bank Group to CoVantage Credit Union and Suncoast Credit Union.

How many people?

Regulators and law firms give slightly different numbers, which is normal in the early stages of a large incident:

• State filings and news reports currently point to at least 400,000 affected customers.
• One law firm that tracks the CoVantage Credit Union impact alone mentions about 160,000 CoVantage members and roughly 354,000 individuals across all affected Marquis clients in its analysis.
• Some industry reports suggest the total count may rise as more institutions complete their reviews and file notices.

The Maine Attorney General’s breach portal lists Marquis Software Solutions as the reporting entity for an incident reported on 2 December 2025, confirming the current notification phase.

You should expect these numbers to adjust over time as more clients finalize their own counts.

What Data Was Exposed?

Marquis and state filings say that attackers copied files that contained non-public personal information from bank and credit union customers.

The exposed data can include some or all of the following, depending on the institution and account:

• Full name
• Postal address and phone number
• Date of birth
• Social Security number or Taxpayer Identification Number
• Bank account numbers
• Debit or credit card numbers
• Other financial account information (without security codes or PINs in some cases)

This mix of data is enough for identity theft and many types of fraud. Even if card security codes were not stored, attackers can still use identity data to open new accounts, file false tax returns, or run targeted phishing campaigns.

At this time, Marquis says it has not seen proof that the stolen data has been misused or posted on leak sites. However, at least one earlier notice from an affected credit union, later removed, claimed that Marquis paid a ransom, which often happens to try to prevent data leaks.

How Marquis Says It Responded?

Public notices and secondary reports describe several steps that Marquis has taken since the attack:

1. Investigation and notification
   • Hired external cyber security experts.
   • Notified law enforcement and state attorneys general.
   • Worked with affected banks and credit unions to send consumer notices.
2. Security hardening
   Marquis reports a set of changes focused on remote access and account security, including:
   • Patching and updating all firewall devices.
   • Rotating passwords for local accounts and removing unused accounts.
   • Enabling multi-factor authentication for all firewall and VPN accounts.
   • Increasing log retention for firewall devices.
   • Enforcing account lockouts after too many failed VPN logins.
   • Restricting VPN access by geographic IP filtering.
   • Blocking connections to known botnet command and control servers at the firewall.

Why This Breach Matters For Vendor Risk

This incident is a classic example of a vendor or supply chain breach in the financial sector:

• Marquis holds data from hundreds of institutions.
• Attackers needed to compromise only one vendor perimeter to reach many banks and credit unions.
• The entry point was a remote access device that should have strong controls and constant monitoring.

For financial institutions, the key risks include:

• Concentration risk: When many institutions rely on the same vendor, one incident becomes a sector wide problem.
• Visibility gaps: Banks often have less direct visibility into a vendor’s internal security controls, patch status, and VPN usage.
• Shared reputational damage: Even if a bank’s own systems stay secure, customers will still blame the bank when their data is tied to that brand.

Regulators already expect banks and credit unions to manage third-party risks as carefully as internal risks. This breach will likely raise more questions from examiners about third-party companies.

Final Thoughts

The Marquis Software Solutions breach is not just another isolated ransomware story. It shows how deeply the financial sector now depends on vendors that sit between customers and their banks, holding large sets of sensitive data. When one of these vendors falls, the shock spreads across dozens of institutions at once.

Banks and credit unions cannot avoid using vendors like Marquis, but they can push for stronger controls, better visibility, and clearer incident plans. Customers cannot control vendor security either, but they can watch their accounts, use the tools offered to them, and stay alert to scams that may follow.