Marquis Fintech Breach Exposes 400,000 Bank Customers via Unpatched SonicWall

A ransomware attack on Marquis Software Solutions, a fintech vendor serving more than 700 banks and credit unions, has exposed personal data of at least 400,000 customers. The breach stemmed from an unpatched SonicWall firewall vulnerability that the Akira ransomware gang has been exploiting since late 2024.

TL;DR

• What happened: Akira ransomware gang breached Marquis via CVE-2024-40766 in SonicWall firewall, stealing customer data
• Who's affected: Customers of 74+ US banks and credit unions; 400,000+ confirmed, likely to rise
• Severity: Critical—SSNs, bank account numbers, and card data exposed
• Action required: Affected individuals should freeze credit and monitor accounts for fraud

What Was Stolen?

Marquis provides marketing and compliance services to financial institutions, giving the company access to sensitive customer data across its client base. The stolen information includes:

• Names and dates of birth
• Postal addresses
• Social Security numbers
• Bank account numbers
• Debit and credit card numbers

This combination enables both identity theft and direct financial fraud. Attackers could drain accounts, make purchases, or sell complete identity packages on criminal markets.

How Did This Happen?

According to breach notifications filed with state attorneys general, attackers exploited CVE-2024-40766—a vulnerability in SonicWall SMA1000 appliances used for remote access. The flaw has been publicly known since September 2024, with patches available.

Marquis apparently hadn't applied the fix.

The Akira ransomware gang has been systematically targeting unpatched SonicWall devices since fall 2024. They've built scanning tools to identify vulnerable appliances and established reliable exploitation techniques. Organizations that ignored patch advisories became easy targets.

Which Banks Are Affected?

Marquis's notification to the Maine Attorney General's office, filed December 2, 2025, confirms the company is reporting on behalf of affected financial institutions. The breach impacts customers of at least 74 banks and credit unions across the country.

Texas bears the heaviest impact, with more than 354,000 residents affected. Additional notifications continue to trickle in from other states, and the final count will likely exceed current figures.

Specific affected institutions haven't been publicly named. Customers should assume their data may be compromised if their bank or credit union uses Marquis for marketing or compliance services—information not typically disclosed to account holders.

Marquis's Response

A company spokesperson confirmed the August 14, 2025 attack and outlined their response:

• Immediately enacted incident response protocols
• Took affected systems offline
• Engaged third-party cybersecurity experts
• Notified law enforcement
• Completed investigation in late November

Marquis claims "no evidence indicating that any personal information has been used for identity theft or financial fraud." Given that stolen data often takes months or years to surface in criminal use, this provides limited reassurance.

Third-Party Vendor Risk

This breach illustrates a persistent problem in financial services: the security of your data depends on every vendor in the chain, not just your bank. Marquis isn't a household name, but the company touched customer data at hundreds of institutions.

Banks conduct vendor risk assessments, but these often focus on contractual compliance rather than technical security. A vendor's unpatched firewall becomes the bank's customer data breach.

For affected financial institutions, this creates both legal liability and reputational damage. For customers, it means their data exposure comes from a company they've never heard of.

What Affected Customers Should Do

1. Freeze your credit at Equifax, Experian, and TransUnion. Free and effective.
2. Monitor existing accounts for unauthorized transactions. Enable alerts for any card or account activity.
3. Watch for phishing attempts. Attackers with this data can craft convincing messages referencing your bank, account details, or personal information.
4. Consider changing account numbers if your bank offers this option. Stolen card numbers remain usable until replaced.

Frequently Asked Questions

How do I know if my bank uses Marquis?

Banks typically don't disclose their vendor relationships publicly. If you haven't received a breach notification but bank with a small to mid-size institution, contact your bank directly to ask if they're affected.

What should I do first?

Freeze your credit immediately. This takes five minutes per bureau and blocks criminals from opening new accounts in your name. You can temporarily lift the freeze when you legitimately need to apply for credit.

Why didn't SonicWall patches prevent this?

They would have—if applied. CVE-2024-40766 was patched in September 2024, three months before the attack. Marquis's failure to apply available security updates created the opening attackers exploited.