Ransomware Gang Exfiltrates Data of 672K Individuals from Marquis, Disrupting 74 U.S. Banks
What Happened — In August 2025, a ransomware group compromised a SonicWall firewall used by Marquis, a Texas‑based fintech provider, and stole personal and financial data of more than 670,000 individuals. The attack also caused service outages at 74 banks that rely on Marquis’s digital‑marketing, analytics, compliance, and CRM platforms.
Why It Matters for TPRM —
- Direct exposure of PII/PII‑financial data from a third‑party service provider can cascade to downstream financial institutions.
- The breach originated from a third‑party firewall vendor (SonicWall), highlighting supply‑chain risk.
- Ongoing litigation and class‑action suits increase financial and reputational exposure for any organization that contracts Marquis.
Who Is Affected — Financial services sector (banks, credit unions, mortgage lenders) and their customers; fintech and SaaS vendors that integrate Marquis APIs.
Recommended Actions —
- Review contracts and security clauses with Marquis and any other vendors using SonicWall firewalls.
- Verify that all firewall firmware is patched and that cloud‑backup credentials have been rotated.
- Conduct a data‑mapping exercise to confirm whether any of your customer data resides in Marquis‑hosted environments.
- Update incident‑response playbooks to include third‑party breach notification timelines.
Technical Notes — Attack vector was a compromise of a SonicWall firewall, likely exploiting a vulnerability disclosed by SonicWall in September 2025. Stolen data includes names, DOB, addresses, phone numbers, SSNs, TINs, and financial account details without security codes. No evidence the attackers accessed the banks’ own systems. Source: BleepingComputer