What happened
The Marquis ransomware incident involved attackers breaching the network of Marquis on August 14, 2025, gaining unauthorized access through a SonicWall firewall and stealing sensitive data from systems used to serve banking and credit union clients. The breach impacted data belonging to customers of dozens of financial institutions, with reports indicating that hundreds of thousands of individuals—over 672,000 people—were affected. Attackers accessed centralized customer data maintained by Marquis, including personal and financial information, and the incident was later confirmed to involve ransomware activity. The attack has also been described as a third-party supply chain incident, as Marquis provides services to multiple banks and credit unions, amplifying the scale of exposure.
Who is affected
Customers of banks and credit unions that relied on Marquis Software Solutions are affected, particularly individuals whose personal and financial information was stored in systems managed by the vendor.
Why CISOs should care
The incident highlights how ransomware attacks on third-party service providers can cascade across multiple organizations, exposing large volumes of customer data through a single point of compromise.
3 practical actions
- Assess third-party risk exposure. Review vendors with access to customer or financial data for potential security gaps.
- Audit firewall and network defenses. The attack path involved unauthorized access through a SonicWall firewall.
- Monitor for data exposure after ransomware incidents. Stolen data may still circulate even after containment efforts.
For more coverage of ransomware campaigns and extortion-driven attacks, explore our reporting under the Ransomware tag.