Full Report
A legal dispute is intensifying in Texas as fintech firm Marquis sues its firewall provider, SonicWall, alleging that security failures within the company’s cloud backup service directly contributed to a far-reaching ransomware attack. The lawsuit, filed Monday in the U.S. District Court for the Eastern District of Texas, seeks a jury trial. Marquis claims that a 2025 breach at SonicWall “exposed critical security information for Marquis and every customer that used SonicWall’s firewall cloud backup service.” According to the complaint, hackers gained access to sensitive firewall configuration backup files, which were later used to infiltrate Marquis’ internal systems. The Alleged Bypass Through SonicWall Firewalls are designed to block unauthorized access to internal networks. However, Marquis contends that attackers exploited data stolen from SonicWall’s cloud backup service to understand precisely how customers configured their firewalls. That insight allegedly gave them a blueprint for breaching defenses. Among the information reportedly taken were emergency access credentials known as scratch codes. According to the complaint, these codes were intended for urgent administrative access and were used by attackers to bypass safeguards and enter Marquis’ network. “SonicWall allowed a threat actor to obtain the keys to bypass that line of defense and walk right into Marquis’s internal network, the very thing that SonicWall’s firewall was supposed to prevent,” the lawsuit states. Once inside, hackers allegedly deployed a ransomware attack that disrupted operations and extracted sensitive information. Marquis, which provides data visualization tools to hundreds of banks and credit unions, reported that the attackers accessed “personally identifiable information concerning customers of some of Marquis’s financial institution clients.” The stolen data includes names, dates of birth, postal addresses, and financial details such as bank account numbers, debit and credit card numbers. Social Security numbers were also compromised in the cyberattack. Scope of the Data Breach SonicWall first disclosed a breach in mid-September 2025, initially stating that fewer than 5% of customer firewall configuration backup files had been exfiltrated from storage servers hosted on Amazon’s cloud and maintained by SonicWall. However, in October, the company revised its statement, acknowledging that every customer had their firewall backup files stolen in the incident. Marquis began notifying affected individuals in December 2025 that its network had been breached in August of that year. SonicWall has not disclosed when the attackers first gained access to its systems, leaving uncertainty about how long the vulnerability may have existed. In its complaint, Marquis alleges that a code change made in February 2025 to one of SonicWall’s APIs “created a vulnerability exploitable by threat actors.” According to the lawsuit, this flaw allowed hackers to access customer firewall configuration backup files “without proper authentication” by guessing predictable firewall serial numbers. Marquis has not confirmed the total number of people affected. However, a listing with the Texas attorney general indicates that at least 400,000 individuals across the United States have been impacted. That figure is expected to increase as additional data breach notifications are filed with attorneys general in other states. The lawsuit now places SonicWall’s security practices for its cloud backup service under scrutiny. A jury in the Eastern District of Texas will ultimately determine whether the alleged vulnerabilities and subsequent ransomware attack stemmed from failures in SonicWall’s security controls, as Marquis claims.
Analysis Summary
# Incident Report: SonicWall Cloud Backup Breach Leading to Marquis Ransomware Attack
## Executive Summary
In 2025, the fintech firm Marquis suffered a major ransomware attack after hackers exploited a vulnerability in SonicWall’s cloud backup service. The breach at SonicWall allowed threat actors to steal firewall configuration backup files, including emergency administrative credentials ("scratch codes"). These stolen files provided the blueprint necessary to bypass Marquis’s firewalls, leading to the infiltration, ransomware deployment, and exfiltration of sensitive customer PII. Marquis is now suing SonicWall over the alleged security failures in the backup service.
## Incident Details
- **Discovery Date:** SonicWall disclosed the breach in mid-September 2025; Marquis claims the breach of its network occurred in **August 2025**.
- **Incident Date:** The core external compromise (SonicWall breach) is linked to a February 2025 flaw; Marquis ransomware deployment occurred around **August 2025**.
- **Affected Organization:** Marquis (Victim), SonicWall (Third-Party Vendor).
- **Sector:** Financial Technology (Fintech), Data Security Vendors.
- **Geography:** U.S. District Court for the Eastern District of Texas (Lawsuit Location); Affected individuals across the United States.
## Timeline of Events
### Initial Access (External to SonicWall)
- **Date/Time:** Unknown, but a code change in **February 2025** allegedly created the exploitable vulnerability. Initial access to SonicWall systems likely occurred between February and August 2025.
- **Vector:** Exploitation of a vulnerable API in SonicWall’s cloud backup service.
- **Details:** A code change in February 2025 allegedly created a flaw allowing threat actors to access firewall configuration backup files "without proper authentication" by guessing predictable firewall serial numbers.
### Lateral Movement (External on Marquis Network)
- **Date/Time:** **August 2025** (when Marquis network was breached).
- **Vector:** Use of configuration data and credentials stolen from SonicWall's cloud service.
- **Details:** Attackers used the compromised firewall configuration data to understand customer defenses. Crucially, they allegedly obtained **scratch codes** (emergency access credentials) which were used to bypass the Marquis firewall safeguards and enter the internal network.
### Data Exfiltration/Impact
- **Mechanism:** Ransomware attack deployed after gaining entry.
- **Details:** Disruption of operations occurred. Sensitive personally identifiable information (PII) concerning customers of Marquis’s financial institution clients was extracted. Compromised data included names, dates of birth, postal addresses, financial details (bank account numbers, debit/credit card numbers), and Social Security numbers.
### Detection & Response
- **Detection (SonicWall):** Mid-September 2025 (SonicWall disclosed its breach).
- **Detection (Marquis):** August 2025 (Ransomware deployment/Network breach).
- **Marquis Notification:** Began notifying affected individuals in **December 2025**.
- **Response Actions Taken:** Marquis pursued legal action against SonicWall, seeking a jury trial.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerability in SonicWall's API allowing unauthenticated access to configuration backups by predicting serial numbers.
- **Persistence:** Not explicitly detailed, but access was maintained long enough to conduct a full ransomware deployment.
- **Privilege Escalation:** Usage of stolen **scratch codes** (emergency administrative credentials) to bypass the firewall defense.
- **Defense Evasion:** Bypassing the primary network defense (SonicWall firewall) using knowledge gained from the backup files plus stolen high-privilege credentials.
- **Credential Access:** Direct theft of emergency administrative credentials ("scratch codes") stored within the compromised backup files.
- **Discovery:** Attackers used the stolen firewall configuration blueprints to map Marquis's security posture.
- **Lateral Movement:** Gaining access to the internal network via the compromised firewall bypass.
- **Collection:** Gathering names, DOBs, addresses, financial details, and SSNs belonging to customers of Marquis’s clients.
- **Exfiltration:** Stolen data was extracted after ransomware deployment.
- **Impact:** Deployment of ransomware leading to operational disruption and mass PII theft.
## Impact Assessment
- **Financial:** Litigation filed; financial impact includes damages sought in the lawsuit, operational downtime, and remediation costs (not quantified in the context).
- **Data Breach:** Highly sensitive PII compromised, including SSNs, financial details, names, addresses, and DOBs for customers of Marquis's financial institution clients. At least **400,000 individuals** in the US are confirmed impacted via Texas AG filings, with the total expected to rise.
- **Operational:** Disruption to Marquis's operations due to the ransomware attack.
- **Reputational:** Significant reputational damage to Marquis due to the breach involving customer data from hundreds of banks/credit unions, amplified by the public lawsuit against a major security vendor.
## Indicators of Compromise
*Indicators are inferred based on the description of the attack.*
- **Network Indicators (Defanged):** Unknown specific malicious IPs/domains, but unauthorized access attempts to SonicWall cloud storage endpoints prior to **February 2025** code change exploit.
- **File Indicators:** Presence of unknown ransomware payload on Marquis systems post-August 2025.
- **Behavioral Indicators:** Use of unusual administrative credentials (scratch codes) to access the Marquis internal network, bypassing established firewall rules post-initial entry.
## Response Actions
- **Containment:** Not detailed, but immediate containment would revolve around isolating compromised network segments post-ransomware deployment.
- **Eradication:** Not detailed, but would involve removing the ransomware strain and ensuring all administrative access vectors (including the use of compromised scratch codes) were revoked.
- **Recovery Actions:** Marquis began individual breach notifications in December 2025. Legal action initiated seeking accountability from SonicWall.
## Lessons Learned
- **Third-Party Risk:** Security failures in critical third-party services (like cloud backups) can directly translate into catastrophic primary business impact (a supply chain risk failure).
- **Credential Management:** Emergency access credentials ("scratch codes") must be rigorously protected, as their compromise allowed threat actors to completely bypass perimeter defense layers built into customer products.
- **Vulnerability Disclosure Discrepancies:** Initial minimal disclosure by SonicWall ("fewer than 5% of files") was later proven drastically inaccurate when they admitted *every* customer file was stolen, highlighting issues in rapid incident assessment communication.
## Recommendations
- **Supply Chain Vetting:** Implement enhanced scrutiny and contractual requirements for security controls and code integrity review processes for all vendors managing critical customer configuration data or credentials.
- **Credential Rotation/Isolation:** Review security practices around emergency/break-glass credentials. These should be stored outside configuration backups, managed via an ultra-secure vault separate from the production operational ecosystem, and rotated immediately after any suspected compromise or major security architecture change.
- **Proactive Defense Review:** Assume perimeter security knowledge is potentially compromised. Focus on robust network segmentation and Zero Trust principles internally, anticipating that perimeter defenses (like firewalls) might be successfully bypassed if configuration knowledge is stolen.