New regulatory disclosures have confirmed that a cyberattack on financial services vendor Marquis exposed sensitive personal and financial information belonging to more than 400,000 bank and credit union customers across the United States.
According to filings submitted to state authorities, attackers accessed Marquis systems by exploiting a known but unpatched firewall vulnerability, allowing unauthorized access to data used by hundreds of financial institutions. Texas accounts for the largest confirmed share of affected individuals, with additional disclosures filed in states including Maine, Massachusetts, Iowa, and New Hampshire.
How the Breach Occurred
The intrusion dates back to August, when attackers gained access to Marquis’ internal network through a vulnerable SonicWall firewall appliance. Firewalls sit at the perimeter of enterprise networks and are typically treated as trusted infrastructure, making them high-impact targets when left unpatched.
Once inside, attackers were able to access centralized customer data maintained by Marquis on behalf of its banking and credit union clients. The company later confirmed the incident involved ransomware, though it has not publicly named the attackers. The campaign has been widely linked to the Akira, which has previously targeted organizations running exposed SonicWall devices.
What Data Was Exposed
State disclosures indicate that the compromised data included a broad range of highly sensitive information, such as:
- Full names and postal addresses
- Dates of birth
- Social Security numbers
- Bank account details
- Debit and credit card numbers
This combination of data represents complete identity profiles, significantly increasing the risk of long-term fraud and misuse.
Why the Impact Is So Broad
Marquis provides marketing and compliance services to more than 700 financial institutions nationwide. That role requires access to large volumes of customer information across multiple banks and credit unions, concentrating sensitive data in a single vendor environment.
As a result, a single breach at the vendor level propagated outward, affecting customers across many institutions and jurisdictions simultaneously. This structure has become an increasingly common focal point for ransomware groups seeking maximum downstream impact from a single point of compromise.
Ongoing Risk for Affected Individuals
Security experts note that breaches involving immutable identity data differ from typical credential incidents. While passwords and access tokens can be reset, core identity attributes cannot be changed. Once exposed, this information may be reused repeatedly for account takeovers, new account fraud, and highly targeted scams that reference accurate personal and banking details.
