Executive Summary
In early 2024, Marquis Software Solutions, a financial marketing service provider, was the victim of a significant data breach that compromised sensitive personal information across more than 74 US banks and credit unions. The attackers gained unauthorized access through a third-party vulnerability and exfiltrated data sets containing names, addresses, Social Security numbers, financial account details, and demographic information of hundreds of thousands of customers. The breach not only impacted Marquis’s direct clients but also exposed downstream institutions and their end-users, triggering regulatory notifications and potential reputational damage to affected financial entities.
This incident highlights the enduring risk posed by supply chain vulnerabilities within highly regulated industries, as attackers continue targeting trusted vendors with access to sensitive data. It underscores increasing regulatory scrutiny on vendor risk management and data protection, especially within financial and healthcare sectors.
Why This Matters Now
The Marquis breach underscores a surge in supply-chain attacks targeting vendors serving critical infrastructure sectors like banking. With regulators demanding stricter controls over third-party risk and customer data stewardship, organizations must urgently evaluate their vendor ecosystems and implement segmented, encrypted, and monitored connectivity to safeguard against similar large-scale exposures.
Attack Path Analysis
The attacker gained initial access to Marquis Software Solutions via an exposed application vulnerability or compromised credentials, leading to unauthorized presence in the network. They escalated privileges by exploiting misconfigurations or over-permissioned accounts to access sensitive data. Lateral movement allowed them to pivot between workloads and internal services, reaching repository or database storage holding bank and credit union data. The attacker then established command and control to maintain persistent remote access and stage exfiltration channels. Sensitive customer and financial data was exfiltrated via outbound connections to external infrastructure. The breach resulted in significant impact across over 74 financial institutions, exposing regulated personal and banking information.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited an exposed application vulnerability or used stolen credentials to gain initial access to the Marquis cloud environment.
Related CVEs
CVE-2022-22274
CVSS 9.8A vulnerability in SonicWall firewalls allows an unauthenticated attacker to cause a denial of service or potentially execute arbitrary code.
Affected Products:
SonicWall SonicOS – 7.0.1-5050 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Data Manipulation
Data from Local System
Automated Exfiltration
Exfiltration Over C2 Channel
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
GLBA (Gramm-Leach-Bliley Act) – Safeguards Rule
Control ID: 501(b)
CISA Zero Trust Maturity Model 2.0 – Implement Strong Authentication
Control ID: Identity Pillar
NIS2 Directive – Risk Management Measures
Control ID: Art. 21(2)
ISO/IEC 27001:2022 – Data Leakage Prevention
Control ID: A.5.21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Direct impact from Marquis data breach affecting 74+ US banks, exposing customer financial data requiring enhanced encryption and zero trust segmentation implementation.
Financial Services
Credit unions and financial institutions face regulatory compliance violations and customer trust erosion, necessitating improved east-west traffic security and threat detection.
Computer Software/Engineering
Financial software providers like Marquis demonstrate supply chain vulnerabilities, requiring multicloud visibility controls and secure hybrid connectivity for client protection.
Information Technology/IT
IT service providers managing financial sector clients must implement cloud native security fabric and inline IPS to prevent lateral movement attacks.
Sources
- Marquis data breach impacts over 74 US banks, credit unionshttps://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/Verified
- Marquis Software Solutions Data Breach Impacts Over 1.3M Exposing Social Security Numbershttps://www.claimdepot.com/data-breach/marquis-software-solutions-2025Verified
- Marquis Software Solutions Data Breach Claims Investigated by Lynch Carpenterhttps://www.globenewswire.com/news-release/2025/12/03/3199231/0/en/Marquis-Software-Solutions-Data-Breach-Claims-Investigated-by-Lynch-Carpenter.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust east-west traffic security, and egress policy enforcement provided by CNSF controls would have sharply constrained attacker movement, detected anomalous activities, and prevented much of the unmonitored exfiltration in this breach.
Control: Cloud Firewall (ACF)
Mitigation: Unauthorized network access attempts blocked at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Movement to newly privileged assets prevented by identity-based microsegmentation.
Control: East-West Traffic Security
Mitigation: Internal lateral movement detected and denied between segmented workloads.
Control: Inline IPS (Suricata)
Mitigation: Outbound malicious C2 traffic identified and stopped in-line.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound data transfers detected and blocked.
Rapid detection of abnormal access mitigates breach scale.
Impact at a Glance
Affected Business Functions
- Customer Data Management
- Compliance Reporting
- Digital Marketing Services
Estimated downtime: 14 days
Estimated loss: $5,000,000
The breach exposed sensitive personal information, including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information, and dates of birth, affecting over 1.3 million individuals across multiple states.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict zero trust segmentation and least privilege policies across all network flows and identities.
- • Deploy east-west traffic inspection and microsegmentation to disrupt internal lateral movement and limit attack scope.
- • Enforce granular egress controls and real-time outbound policy enforcement to block unsanctioned data exfiltration.
- • Enable anomaly detection and threat response to rapidly identify unusual behaviors targeting sensitive data.
- • Maintain centralized, multicloud visibility to ensure continuous monitoring and unified policy governance across hybrid environments.
