Marquis data breach impacts over 74 US banks, credit unions

Recorded: Dec. 4, 2025, 1:02 a.m.

Original

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

University of Phoenix discloses data breach after Oracle hack

Russia blocks FaceTime and Snapchat over use in terrorist attacks

Create compliance docs with this $40 governance & cybersecurity bundle

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Contractors with hacking records accused of wiping 96 govt databases

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityMarquis data breach impacts over 74 US banks, credit unions

Marquis data breach impacts over 74 US banks, credit unions

By Lawrence Abrams

December 3, 2025
05:06 PM
1

Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
This allowed the hackers to steal "certain files from its systems" during the attack.
"The review determined that the files contained personal information received from certain business customers," reads a notification filed with Maine's AG office.
"The personal information potentially involved for Maine residents includes names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information without security or access codes, and dates of birth."
Marquis is now filing notifications on behalf of its customers, in some cases breaking down the number of people impacted per bank in a state. These notifications state that similar data was exposed in the attack for customers in other U.S. states.
According to notifications filed in Maine, Iowa, and Texas, over 400,000 customers have been impacted from the following 74 banks and credit unions.
1st Northern California Credit Union
Abbott Laboratories Employees Credit Union
Advantage Federal Credit Union
Agriculture Federal Credit Union
Alltrust Credit Union
BayFirst National Bank
Bellwether Community Credit Union
C&N Bank
Cape Cod Five
Capital City Bank Group
Central Virginia Federal Credit Union
Clark County Credit Union
Community 1st Credit Union
Community Bancshares of Mississippi, Inc.
Cornerstone Community Financial Credit Union
CPM Federal Credit Union
CSE Federal Credit Union
CU Hawaii Federal Credit Union
d/b/a Community Bank
Discovery Federal Credit Union
Earthmover Credit Union
Educators Credit Union
Energy Capital Credit Union
Fidelity Cooperative Bank
First Community Credit Union
First Northern Bank of Dixon
Florida Credit Union
Fort Community Credit Union
Founders Federal Credit Union
Freedom of Maryland Federal Credit Union
Gateway First Bank
Generations Federal Credit Union
Gesa Credit Union
Glendale Federal Credit Union
Hope Federal Credit Union
IBERIABANK n/k/a First Horizon Bank
Industrial Federal Credit Union
Interior Federal
Interior Federal Credit Union
Interra Credit Union
Jonestown Bank & Trust Co.
Kemba Financial Credit Union
Liberty First Credit Union
Maine State Credit Union
Market USA FCU
MemberSource Credit Union
Michigan First Credit Union
MIT Federal Credit Union
New Orleans Firemen's Federal Credit Union
New Peoples Bank
Newburyport Five Cents Savings Bank
NIH Federal Credit Union
Pasadena Federal Credit Union
Pathways Financial Credit Union
Peake Federal Credit Union
Pelican Credit Union
Pentucket Bank
PFCU Credit Union
QNB Bank
Security Credit Union
Seneca Savings
ServU Credit Union
StonehamBank Cooperative
Suncoast Credit Union
Texoma Community Credit Union
Thomaston Savings Bank
Time Bank
TowneBank
Ulster Savings Bank
University Credit Union
Valley Strong Credit Union
Westerra Credit Union
Whitefish Credit Union
Zing Credit Union

At this time, Marquis says that there is no evidence that data has been misused or published anywhere.
However, as previously reported by Comparitech, a now-deleted filing by Community 1st credit union claimed that Marquis paid a ransom, which is done to prevent the leaking and abuse of stolen data.
"Marquis paid a ransomware shortly after 08/14/25. On 10/27/25 C1st was notified that nonpublic personal information related to C1st members was included in the Marquis breach," reads the deleted notification seen by Comparitech.
While the company's data breach notifications state only that it has "taken steps to reduce the risk of this type of incident," a filing by CoVantage Credit Union with the New Hampshire AG shares further details about how the company is increasing security.
This notification states that Marquis has now enhanced its security controls by doing the following:
Ensuring that all firewall devices are fully patched and up to date,
Rotating passwords for local accounts,
Deleting old or unused accounts,
Ensuring that multi-factor authentication is enabled for all firewall and virtual private network ("VPN") accounts,
Increasing logging retention for firewall devices, (
Applying account lock-out policies at the VPN for too many failed logins,
Applying geo-IP filtering to only allow connections from specific countries needed for business operations, and
Applying policies to automatically block connections to/from known Botnet Command and Control servers at the firewall.
These steps indicate that the threat actors likely gained access to the company network through a SonicWall VPN account, a known tactic used by some ransomware gangs, especially Akira ransomware.
Targeting SonicWall firewalls
While Marquis has not shared any further details about the ransomware attack, the Akira ransomware gang has been targeting SonicWall firewalls to gain initial access to corporate networks since at least early September 2024.
Akira started breaching SonicWall SSL VPN devices in 2024 by exploiting the CVE-2024-40766 vulnerability, which allowed attackers to steal VPN usernames, passwords, and seeds to generate one-time passcodes.
Even after SonicWall patched the bug, many organizations didn't properly reset their VPN credentials, allowing Akira to continue breaching patched devices with previously stolen credentials.
A recent report shows the group is still signing in to SonicWall VPN accounts even when MFA is enabled, suggesting the attackers stole OTP seeds during the earlier exploitation.
Once Akira gets in through the VPN, they move quickly to scan the network, perform reconnaissance, gain elevated privileges in the Windows Active Directory, and steal data before deploying ransomware.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
SimonMed says 1.2 million patients impacted in January data breachFreedom Mobile discloses data breach exposing customer dataFrench DIY retail giant Leroy Merlin discloses a data breachDeep dive into DragonForce ransomware and its Scattered Spider connectionRetail giant Coupang data breach impacts 33.7 million customers

Bank
Credit Union
Customer Data
Cybersecurity
Data Breach
Marquis
Ransomware
SonicWall

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Previous Article
Next Article

Comments

powerspork - 5 hours ago

"This notification states that Marquis has now enhanced its security controls by doing the following: (yada yada)"

A lot of these are very basic security steps. Does this phrase imply that they were not doing these things consistently or at all before? Seems likely given Sonicwall is implicated. It just seems like yet another massive breach caused by the most basic of failures: not updating firewall, not enabling VPN MFA.

Even the smallest of banks are required to perform these steps and regularly audited to make sure they do. Why wasn't Marquis held to the same standard?

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Glassworm malware returns in third wave of malicious VS Code packages

North Korea lures engineers to rent identities in fake IT worker scheme

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Empowering IT teams with intelligence driven cyber threat research.

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

AI is a data-breach time bomb: Read the new report

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Marquis Software Solutions data breach, disclosed in December 2025, has impacted over 74 US banks and credit unions, exposing sensitive customer information. The breach originated with a ransomware attack on August 14, 2025, targeting Marquis’s network through a compromised SonicWall firewall. This allowed attackers to extract “certain files” containing personal information.

Specifically, the compromised data included names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information (lacking security or access codes), and dates of birth. Approximately 400,000 customers across these institutions have been affected. Notably, the affected banks and credit unions include 1st Northern California Credit Union, Abbott Laboratories Employees Credit Union, and many others, spanning states like Maine, Iowa, and Texas.

Following the initial attack, Marquis initiated data breach notifications to relevant authorities, including the US Attorney General offices of various states. In response, Marquis has implemented security enhancements, including fully patched and up-to-date firewall devices, rotating passwords for local accounts, deletion of unused accounts, enabling multi-factor authentication for VPN accounts, increased logging retention, account lockout policies for VPN logins, geolocation filtering, and blocking connections to known botnet command-and-control servers.

The attackers exploited a vulnerability in SonicWall SSL VPN devices, a tactic commonly employed by the Akira ransomware gang, who have been targeting these firewalls since 2024. The gang gained initial access by stealing VPN usernames, passwords, and one-time passcodes to generate access codes—even after SonicWall implemented patches. This suggests the attackers retained stolen credentials, indicating a failure to promptly reset VPN credentials after security updates. The Akira gang quickly scanned the network, gained elevated privileges in the Windows Active Directory, and ultimately stole data before deploying ransomware.

While Marquis states there is no evidence of data misuse or publication, initial notifications—such as one from Community 1st Credit Union—indicate that Marquis paid a ransom to prevent the data from being leaked. This further highlights the potential for damage and underscores the vulnerabilities within the company’s security posture. The breach serves as a stark reminder of the importance of consistent security practices, prompt patching of vulnerabilities, and robust multi-factor authentication—elements which were evidently lacking in Marquis's security measures, given the successful exploitation of a widely known SonicWall vulnerability. The incident underscores the continued risk posed by ransomware groups and the need for financial institutions to maintain stringent cybersecurity protocols.