Cyber Incident Victim: Marquis
Date:
Aug 2025
Location:
United States of America
Summary
A fintech firm experienced a ransomware attack after hackers exploited credentials stolen from its firewall provider's cloud backup breach, which exposed configuration files enabling network circumvention. The provider initially claimed limited impact but later confirmed all cloud backup customers' data was compromised. The breach resulted in theft of sensitive customer information, including personal, financial, and Social Security data from affiliated banks and credit unions. The victim is pursuing compensation from the provider for incident response costs, while the number of affected individuals continues to increase as breach notifications progress.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2025, fintech firm Marquis suffered a ransomware attack that resulted in the theft of customers’ personal information, financial data, and Social Security numbers. Marquis attributed the breach to a prior security incident at its firewall provider, SonicWall, which occurred earlier in 2025. According to Marquis’ internal investigation and subsequent customer communications, hackers exploited credentials and firewall configuration data stolen during SonicWall’s breach to circumvent Marquis’ network defenses. The company confirmed it had stored a backup of its firewall configuration file in SonicWall’s cloud environment, which was compromised in the provider’s incident. SonicWall initially disclosed in September 2025 that fewer than 5% of its customers were affected by its breach but revised this assessment in October 2025, acknowledging that all customers using its cloud backup service—including Marquis—had their firewall configuration data and credentials accessed by threat actors. Marquis stated it had recently adopted SonicWall’s firewall services prior to the attack.
Marquis engaged a third-party investigator to examine the breach and evaluate whether an unapplied firewall patch could have contributed to the incident. The investigation concluded the patch addressed a vulnerability that was not exploitable in a manner allowing unauthorized data access. The company began notifying hundreds of thousands of affected individuals in late 2025 and early 2026, with breach notifications submitted to state attorneys general. The total number of impacted individuals remained undisclosed but was expected to increase as notifications progressed. Marquis announced plans to seek compensation from SonicWall for expenses incurred by the company and its customers during the response. SonicWall disputed Marquis’ claims, stating no evidence linked its September 2025 breach to subsequent ransomware attacks and requesting substantiation from Marquis. The breach exposed sensitive consumer banking data managed by Marquis for hundreds of U.S. financial institutions, escalating concerns about third-party vendor risks in critical infrastructure sectors.