Case Study: Marquis Software Solutions Breach Compromises Customer Data Across 74+ U.S. Financial Institutions
Overview
On August 14, 2025, Marquis Software Solutions, a Texas-based vendor providing data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders, suffered a ransomware attack that compromised customer data across at least 74 U.S. financial institutions.
Independent compilations across multiple state registries estimate between 672,000 and 1.35 million customers were affected.
Reports indicate Marquis paid a ransom, though the company has not officially confirmed payment.
Attack Details
Initial access is reported to have been achieved through a vulnerability in Marquis's SonicWall firewall device, used for remote access. The Akira ransomware group is publicly associated with widespread targeting of SonicWall SSL VPN devices since at least September 2024, exploiting CVE-2024-40766 to steal VPN credentials and one-time password seeds. While Marquis has not publicly confirmed which specific vulnerability was exploited, the attack profile is consistent with this campaign.
Once inside the network, attackers exfiltrated files containing customer data before deploying ransomware.
The exfiltrated data included names, addresses, phone numbers, dates of birth, Social Security numbers, Taxpayer Identification Numbers, and financial account information.
Impact on Financial Services
Affected institutions faced compounding operational and regulatory burdens: state-level breach notifications across at least seven states (Maine, Iowa, Texas, Massachusetts, New Hampshire, South Carolina, Washington), customer notification timelines they did not control, and reputational damage tied to a vendor whose security failures were publicly visible.
The Signal Was Visible
One month before the August 2025 attack, Marquis Software Solutions carried an RSI of 0.437. That score sat above both the broader vendor sample average of 0.351 and the 140-vendor finance ecosystem average of 0.404, placing Marquis in the elevated band of the index.
Marquis’ RSI Showed 11.6x Attack Likelihood Before the Attack
Lessons Learned
Identity-layer controls limit cascade impact
Edge security controls remain the most common entry vector in vendor compromise. The Marquis intrusion entered through a SonicWall firewall, an internet-facing device with privileged access to internal systems. Vendors operating internet-exposed remote access infrastructure require continuous patch hygiene, multi-factor authentication enforcement, credential rotation, and removal of unused or legacy accounts.
Disclosure timelines belong to the vendor, not the institution.
Affected financial institutions did not learn of the compromise until 10+ weeks after the initial intrusion.
Vendor concentration is itself the risk
Marquis serves over 700 financial institutions; the 74+ confirmed affected organizations are a subset of that exposure base. The vulnerability of any single financial institution to a Marquis-style incident is not a function of its own security program but of how many of its peers depend on the same vendor.
The risks documented in this report are measurable, monitored, and in many cases preventable.
The next section outlines the capabilities financial institutions are using today to act on them.