Ransomware Attack on Marquis Software Solutions Sends Shockwaves Across U.S. Banking Sector

What happened

On August 14, 2025, Marquis Software Solutions suffered a ransomware attack that exploited a vulnerability in its SonicWall firewall/VPN infrastructure. Attackers gained unauthorized access and exfiltrated files containing sensitive customer data.

Who is affected

Marquis, a vendor that provides CRM, data analytics, compliance reporting, and digital marketing services, supports over 700 banks, credit unions, and mortgage lenders. So far, more than 74 financial institutions have confirmed compromised data, impacting at least 400,000 customers. Exposed information may include names, postal addresses, phone numbers, dates of birth, Social Security or taxpayer IDs, and financial account numbers (though not card PINs or CVVs, in many cases).

Why CISOs should care

This breach underscores the systemic risk posed by third‑party vendors in the financial sector: a single successful attack against a vendor can escalate into a multi-institutional incident. It also highlights that even widely used security appliances like SonicWall can remain prime targets if misconfigured, unpatched, or not using strong VPN hardening. Regulators and examiners will likely scrutinize vendor risk management, MFA, patching cadence, and visibility controls, affecting compliance posture and reputational risk across institutions.

3 Practical Actions for CISOs

1. Reassess vendor‑risk posture: Inventory all third‑party vendors similar to Marquis that handle sensitive customer data, and evaluate their security controls, including patch management, MFA usage, logging, and incident response readiness.
2. Harden remote‑access infrastructure: Ensure VPN appliances and firewalls are fully patched; enforce multi-factor authentication (MFA), account rotation, strict geolocation/IP filtering, logging retention, and aggressive lockout for failed logins.
3. Implement vendor‑audit and segmentation policies: Require regular security assessments and audit reports from vendors; isolate vendor systems from internal networks to reduce blast radius if vendor security fails.