Full Report
Bleeping Computer reports: Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US. Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders. In data breach notifications... Source
Analysis Summary
# Incident Report: Marquis Software Solutions Ransomware Data Breach
## Executive Summary
Marquis Software Solutions, a provider of financial software services, suffered a data breach resulting from a ransomware attack initiated on August 14, 2025. The attackers gained initial access via a vulnerability in their SonicWall firewall. The incident resulted in the exfiltration of customer files containing personal information, impacting dozens of client banks and credit unions across the United States, with over 721,000 individuals reported affected across several states initially.
## Incident Details
- Discovery Date: N/A (Implied discovery after the attack on August 14, 2025, when data exfiltration occurred)
- Incident Date: August 14, 2025 (Date of the ransomware attack/network breach)
- Affected Organization: Marquis Software Solutions
- Sector: Financial Software Provider / Fintech
- Geography: United States (Notifications filed in Maine, Iowa, South Carolina, Massachusetts, Washington State, and Texas)
## Timeline of Events
### Initial Access
- Date/Time: August 14, 2025
- Vector: Exploitation of SonicWall firewall vulnerability.
- Details: Attackers breached the network by exploiting a vulnerability present in the company's SonicWall firewall infrastructure.
### Lateral Movement
- Details: Not explicitly detailed in the source, but presumed necessary to access and steal "certain files from its systems."
### Data Exfiltration/Impact
- Details: Attackers stole "certain files from its systems" containing personal information belonging to the business customers (banks and credit unions). This was associated with a ransomware attack, though ransom payment status is unconfirmed.
### Detection & Response
- Detection: Discovery occurred sometime after August 14, 2025, leading to data breach notifications filed with various US Attorney General offices.
- Response Actions: Notifications were filed with multiple state AG offices (e.g., Maine, Iowa, etc.).
## Attack Methodology
- Initial Access: Exploitation of SonicWall firewall (likely unpatched vulnerability).
- Persistence: N/A (Not detailed)
- Privilege Escalation: N/A (Not detailed)
- Defense Evasion: N/A (Not detailed)
- Credential Access: N/A (Not detailed)
- Discovery: N/A (Not detailed)
- Lateral Movement: Implied to allow access to file systems containing customer data.
- Collection: Stealing of "certain files from its systems."
- Exfiltration: Data exfiltration occurred prior to or during the ransomware event.
- Impact: Data theft leading to notification requirements for numerous downstream financial institutions and their customers.
## Impact Assessment
- Financial: Not disclosed, but likely included investigation costs, notification costs, and potential regulatory fines. One report suggested a ransom may have been paid.
- Data Breach: Personal information belonging to customers of downstream banks and credit unions. Preliminary confirmed reports across several states show a subtotal of approximately 721,000 affected consumers (e.g., 42,784 in Maine alone).
- Operational: Disruption to Marquis Software Solutions' internal operations due to the ransomware attack. Indirect impact on over 700 client institutions.
- Reputational: Significant reputational damage to Marquis Software Solutions and the numerous financial institutions they serve.
## Indicators of Compromise
- Network Indicators: Involving traffic related to the exploited SonicWall firewall perimeter (Specific IOCs not provided).
- File Indicators: N/A
- Behavioral Indicators: Execution of ransomware payload post-breach; unauthorized large-scale file access/theft.
## Response Actions
- Containment: Implied actions to isolate impacted network segments following the August 14th breach.
- Eradication: Steps taken to remove the threat actor and malware from the environment.
- Recovery Actions: Restoring systems following the ransomware attack and notifying affected parties as required by US state laws.
## Lessons Learned
- Critical reliance on perimeter defenses (firewall security) can expose downstream clients.
- Insufficient patching or vulnerability management for critical edge devices (SonicWall) can lead to major breaches.
- Compromise of a B2B service provider directly impacts hundreds of downstream customers.
## Recommendations
- Immediately implement rigorous patch management for all internet-facing security appliances, particularly firewalls.
- Conduct thorough penetration testing focused explicitly on perimeter devices utilizing known public exploits.
- Review and significantly enhance network segmentation to limit lateral movement should the perimeter control fail.
- Ensure all stored customer data is adequately encrypted both at rest and in transit where feasible, to mitigate damage from data exfiltration.