Executive Summary
In August 2025, Marquis Software Solutions, a fintech firm serving over 70 banks and credit unions, suffered a ransomware attack that compromised sensitive personal and financial data of more than 1.3 million individuals. The breach was attributed to a vulnerability in SonicWall's firewall backup service, which allowed attackers to access Marquis's internal network. Exposed information included names, addresses, Social Security numbers, and financial account details. This incident underscores the critical importance of securing third-party services and the potential cascading effects of supply chain vulnerabilities. (claimdepot.com)
The Marquis breach highlights the escalating risks associated with third-party service providers in the financial sector. As cyberattacks become more sophisticated and supply chain vulnerabilities more prevalent, organizations must adopt comprehensive security measures, including continuous monitoring and regular penetration testing, to safeguard sensitive data and maintain regulatory compliance.
Why This Matters Now
The Marquis Software breach underscores the urgent need for financial institutions to reassess their third-party risk management strategies. With cyberattacks becoming more sophisticated and supply chain vulnerabilities increasingly exploited, organizations must implement continuous monitoring and regular penetration testing to protect sensitive data and comply with evolving regulatory requirements.
Attack Path Analysis
Attackers exploited a vulnerability in SonicWall's firewall backup service to access Marquis Software's firewall configurations, leading to unauthorized network access. They escalated privileges by leveraging the compromised firewall credentials to gain deeper access within Marquis's internal systems. The attackers moved laterally across the network, identifying and accessing sensitive data repositories. They established command and control channels to maintain persistent access and coordinate their activities. Sensitive personal and financial data of over 672,000 individuals were exfiltrated from Marquis's systems. The attackers deployed ransomware, encrypting critical data and disrupting Marquis's operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a vulnerability in SonicWall's firewall backup service to access Marquis Software's firewall configurations, leading to unauthorized network access.
MITRE ATT&CK® Techniques
External Remote Services
Exploitation of Remote Services
Exploit Public-Facing Application
Valid Accounts
Protocol Tunneling
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – External Penetration Testing
Control ID: 11.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Network and Environment Segmentation
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Infrastructure vulnerabilities in VPN systems and third-party platforms expose sensitive customer data, regulatory compliance failures, and untested attack surfaces in mortgage origination portals.
Financial Services
Ranked fourth in interactive intrusion targeting with 345-day testing gaps creating prolonged exposure windows for encrypted traffic interception and lateral movement attacks.
Information Technology/IT
Multi-cloud visibility gaps and unencrypted traffic vulnerabilities enable privilege escalation and command-and-control operations across hybrid cloud infrastructures requiring continuous security validation.
Computer Software/Engineering
Third-party platform integrations create API vulnerabilities allowing unauthorized data access across tenant boundaries, requiring enhanced egress security and zero trust segmentation controls.
Sources
- What 345 Days of Untested Exposure Looks Like at a Bankhttps://www.bleepingcomputer.com/news/security/what-345-days-of-untested-exposure-looks-like-at-a-bank/Verified
- Marquis sues firewall provider SonicWall, alleges security failings with its firewall backup led to ransomware attackhttps://techcrunch.com/2026/02/24/marquis-sonicwall-lawsuit-ransomware-firewall-breach/Verified
- Fintech firm Marquis blames hack at firewall provider SonicWall for its data breachhttps://techcrunch.com/2026/01/29/fintech-firm-marquis-blames-hack-at-firewall-provider-sonicwall-for-its-data-breach/Verified
- Marquis confirms data breach, point finger of blame at SonicWall firewallhttps://www.techradar.com/pro/security/marquis-confirms-data-breach-point-finger-of-blame-at-sonicwall-firewallVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial unauthorized access may have been constrained by limiting exposure of critical services to only trusted entities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing identity-aware access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained by enforcing east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been limited by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been constrained by enforcing strict egress policies.
The attacker's ability to deploy ransomware and disrupt operations could have been limited by reducing their access to critical systems.
Impact at a Glance
Affected Business Functions
- Customer Data Management
- Financial Transactions Processing
- Regulatory Compliance Reporting
Estimated downtime: 14 days
Estimated loss: $5,000,000
Personal and financial information of over 672,000 individuals, including names, addresses, dates of birth, Social Security numbers, and financial account details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement continuous monitoring and regular penetration testing to identify and remediate vulnerabilities promptly.
- • Enforce strict access controls and least privilege principles to limit the impact of compromised credentials.
- • Deploy network segmentation to restrict lateral movement within the network.
- • Establish robust data encryption practices to protect sensitive information both in transit and at rest.
- • Develop and regularly test incident response plans to ensure rapid containment and recovery from security incidents.
