- Supporting data: At least 70 financial institutions and an estimated 400,000 consumers were affected by the ransomware attack on the third-party vendor.
- Key insight: Patching the SonicWall vulnerability is not enough; administrators must reset passwords as attackers are using stolen credentials to bypass MFA.
- What’s at stake: The incident highlights the persistent danger of third-party vendor risk, as the breach occurred entirely outside the banks’ internal networks.
Overview bullets generated by AI with editorial review
A ransomware attack on Marquis Software Solutions compromised the personal and financial data of hundreds of thousands of consumers across dozens of community banks and credit unions, highlighting the persistent dangers of third-party vendor risk and unpatched software vulnerabilities.
The breach, which occurred in August, was facilitated by a vulnerability in SonicWall firewalls — a flaw that security researchers warn is being actively exploited by a ransomware group known as Akira. The flaw enables attackers to bypass multifactor authentication when seeking VPN access.
Marquis, a marketing and compliance vendor, detected suspicious activity on its network on Aug. 14, according to disclosures the company made to multiple state attorneys general.
A subsequent investigation revealed that an unauthorized third party had accessed the company’s systems that same day and “may have acquired certain files,” according to
While Marquis said in consumer notifications that it has “no evidence of the misuse, or attempted misuse, of personal information,” one affected financial institution disclosed in a breach notification that the vendor had paid the attackers.
“Marquis paid a ransomware shortly after [Aug. 14],” according to
Victim organizations pay ransoms in cases of ransomware in an effort to stop the attacker from releasing stolen data. The FBI advises organizations not to pay ransoms, as they help fund the activities of the ransomers.
The Marquis incident has had a sprawling impact on the financial services sector. Data breach notifications filed in
In Washington state alone, 270,000 individuals were affected, according to
SOCRadar, a threat intelligence firm,
The compromised data includes names, Social Security numbers, dates of birth and financial account information, according to
Marquis emphasized that the incident was “limited to Marquis’ environment” and did not impact the internal systems of its client financial institutions, according to the disclosures.
The vulnerability: SonicWall and Akira ransomware
Marquis traced the breach to a previously disclosed vulnerability in SonicWall’s software.
“The investigation revealed that an unauthorized third party accessed Marquis’ network through its SonicWall firewall,” according to the company’s disclosures to state attorneys general.
This aligns with a broader campaign of attacks targeting SonicWall VPN devices. Security researchers have linked these attacks to the Akira ransomware group, noting that threat actors are exploiting an improper access control vulnerability in SonicOS.
That vulnerability had been
“From late July through early August 2025, multiple security vendors have reported exploitation of SonicWall VPNs, leading to Akira ransomware deployment,” according to
The vulnerability affects SonicWall Gen 5 and Gen 6 firewalls, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions, according to a SonicWall security advisory. The flaw allows unauthorized resource access and, in some conditions, can cause the firewall to crash.
The critical gap in patching
For bankers and IT security teams, the critical lesson from this incident is that applying a software patch is insufficient if credentials have already been compromised.
SonicWall warned that incidents this summer exploiting the vulnerability disclosed last year involved “migrations from sixth-generation to seventh-generation firewalls, where local user passwords were carried over during the migrations and were not reset after,” according to
Threat actors have been observed successfully authenticating against accounts even with one-time password multifactor authentication enabled, suggesting they are using valid, stolen credentials. “In over half of the intrusions analyzed, we observed login attempts against accounts with the one-time password feature enabled,” according to
Remediation and protection
SonicWall and security researchers urge financial institutions using these devices to go beyond simply applying the latest security patch.
“Organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware,” according to
Remediation is a detailed and involved process, per
Marquis said it has implemented additional security technologies, including “deploying an endpoint detection and response tool,” and is rebuilding its impacted infrastructure with new operating systems, according to
SonicWall said following the summer wave of attacks by Akira that it had listed password resets as a “critical step” in its
Marquis did not state in its disclosures to state attorneys general whether the company had reset passwords last year, when SonicWall disclosed the vulnerability and advised customers to do so. It did say part of its remediation efforts following the ransomware attack included password resets for VPN users.