- Key insight: Internal communications suggest Marquis paid a ransom to suppress the data, despite stating there was no evidence of misuse.
- Supporting data: The breach affected at least 823,548 customers across 80 banks and credit unions, more than double the initial estimate.
- Expert quote: “Organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware,” the Australian government said in an advisory.
Overview bullets generated by AI with editorial review
Processing Content
New disclosures about a ransomware attack on marketing and compliance vendor Marquis Software Solutions indicate the resulting data breach affected at least 823,548 customers of at least 80 banks and credit unions.
The updated figures come from an analysis by American Banker of public disclosures by state attorneys general and financial institutions. The numbers reveal a sprawling impact across the community banking sector as states and affected banks and credit unions continue releasing notifications about the breach.
An
In
Other states reported significant numbers, as well.
The compromised data includes names, Social Security numbers, dates of birth, and financial account information, according to disclosures to multiple states by Marquis.
Vulnerability and MFA bypass
To execute the breach, threat actors exploited a known vulnerability in a firewall product Marquis used, according to the company’s disclosures.
“The investigation revealed that an unauthorized third party accessed Marquis’ network through its SonicWall firewall on August 14,” the company said in the letter to Iowa’s attorney general.
Security researchers linked the breach to a campaign by the Akira ransomware group. Last year, the group exploited a critical improper access control vulnerability (CVE-2024-40766) in a SonicWall VPN product.
Critically, patching the software was insufficient to stop the attackers, and Akira bypassed multifactor authentication as part of the attack.
“In over half of the intrusions analyzed, we observed login attempts against accounts with the one-time password feature enabled,” according to a report from Arctic Wolf Labs.
Attackers likely used valid credentials harvested from devices prior to the patch, which is how they defeated multifactor authentication and security patches, the security firm said.
“Organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware,” according to a Sept. 10 alert from the Australian Cyber Security Centre.
Ransom payment and remediation
While Marquis stated in consumer notifications that it has “no evidence of the misuse” of the stolen data, internal communications suggest the vendor paid the attackers to suppress the data.
“Marquis paid a ransomware” shortly after Aug. 14, according to a Nov. 7 email from Bobbi Terrell, chief compliance and business services officer at Community 1st Credit Union, sent to the Iowa attorney general. CompariTech
Marquis emphasized that the incident did not spread to the internal systems of its banking clients. “The incident was limited to Marquis’ environment,” the company wrote in the letter to Iowa regulators.
Since the attack, Marquis has implemented additional security measures. The company deployed an endpoint detection and response tool and rebuilt its impacted infrastructure with new operating systems, according to a Nov. 26 letter submitted by CoVantage Credit Union to the New Hampshire attorney general.
Marquis also rotated passwords for local accounts and applied stricter geographic-based IP filtering to its firewalls.
Financial institutions began mailing notifications to affected customers in late November.
“Marquis provided us with a list of our members whose information was involved in the incident, and we have coordinated with Marquis to notify those members,” according to a Dec. 6 statement from Blaze Credit Union.
Affected institutions are offering 12 to 24 months of complimentary credit monitoring and identity theft protection services through Epiq.