Marquis, a U.S. provider of fintech services, is alerting dozens of banks and credit unions that their customer data was accessed after they were hit by a ransomware attack, increasing third-party risk fears in the financial sector.
Filings to state data-breach regulators indicate the attack took place on August 14 and led to the theft of sensitive personal and financial data. The company is still trying to figure out what hackers accessed, a company spokeswoman said. Officials in Texas say at least 354,000 residents are affected; a filing made with the Maine attorney general says customers of the Maine State Credit Union make up the majority of notifications in that state. The total is among the highest in all the states, and is likely to increase as other states release their disclosures.
Marquis, which is based in Texas and provides compliance and marketing analytics tools to financial institutions, has more than 700 banks and credit unions as customers. Because Marquis collects and processes customer records, the company holds very sensitive information that gives it great appeal to criminal groups looking for leverage and easily monetizable data.
What data was stolen and why it matters for consumers
According to notices sent by the company to state regulators, the attackers obtained names, dates of birth, mailing addresses, and financial information, including bank account, debit card, and credit card numbers, as well as Social Security numbers.
The combination of identifiers and financial information increases the threat of identity theft, account takeover, and synthetic identity fraud. Javelin Strategy & Research has put identity fraud losses in the tens of billions of dollars a year, while the financial sector is perennially among the costliest industries for breaches, according to IBM’s latest Cost of a Data Breach Report.
Even if payment cards are reissued relatively promptly, Social Security numbers and birth dates are persistent credentials for criminals, allowing long-tail fraud that can come to fruition months after an incident. That persistent risk is why regulators and banks are placing a greater focus on continuous monitoring rather than one-time remediation.
Ransomware Entry Point Linked to SonicWall Flaw
Marquis said in conversations with state investigators that this incident was the result of a zero-day exploit affecting SonicWall firewalls they used. Zero-day attacks are particularly harmful as defenders have no patch or signature at the moment of exploit, giving attackers a “head start”.
Though Marquis did not identify the attackers, security researchers believe the Akira ransomware gang was associated with mass exploitation operations against SonicWall appliances around that time. U.S. agencies including CISA and the F.B.I. have also issued warnings on those groups’ predilection for edge devices — VPNs, firewalls, email gateways — since a single misconfiguration or unpatched flaw can provide deep access to networks.
The incident underscores a trend we’re seeing more and more: rapid weaponization of bugs in perimeter gear with weeks or even days — scant hours — standing between public disclosure and exploitation. Recent offensive operations against commercially available devices from a range of vendors have served to highlight the requirement for robust change controls, network segmentation, and fast patch pipelines in respect of internet-facing systems.
Notifications to customers and rising regulatory pressure
Marquis is informing affected institutions and affected individuals in accordance with state breach notification laws. Many banks are also subject to sector-specific expectations: New York Department of Financial Services’ cybersecurity rule mandates expedited reporting for certain incidents, while federal banking regulators’ third-party risk guidance demands that firms attest to reviewing vendors’ security controls and incident response readiness.
For banks and credit unions, next steps might include:
- Review audit logs
- Rotate credentials shared with the vendor
- Restrict access to any systems connected to Marquis
- Revalidate compensating controls
Boards and risk committees will be looking for evidence of segmentation, data minimization, and a logistical plan to reduce the “blast radius” when a vendor is compromised.
What customers should do right now to protect accounts
Customers of affected institutions should look for breach notifications and what categories of data were exposed. If SSNs were included, you should freeze your credit with the three major bureaus instead of a fraud alert.
- Check bank and card accounts for unauthorized transactions
- Turn on account alerts for withdrawals, transfers, and logins
- Change online banking passwords, especially if reused elsewhere
- Watch out for targeted phishing that mentions your bank; attackers frequently move from data theft to social engineering
Tax-related identity protection — such as an IRS Identity Protection PIN — can prevent fraudulent returns if SSNs were stolen. If your data was misused, file an identity theft report with the FTC and contact your bank right away.
An ongoing third-party risk trend for financial firms
The Marquis breach follows a trend seen in other massive incidents in which one vendor acts as a force multiplier. Supply-chain compromises and mass exploitation of heavily used software — as with the recent MOVEit hack, and earlier vulnerabilities in email and firewall appliances — have forced banks to rethink concentration risk, or “fourth-party” dependencies.
Financial regulators and industry groups have repeatedly warned firms to inventory critical vendors, test incident response with realistic tabletop exercises, and adopt “assume breach” architectures that restrict vendor permissions to the fewest possible. As the investigations unfold, organizations that are part of the Marquis ecosystem will be assessed by how fast they can limit exposure and firm up controls — because in today’s risk landscape, resiliency is (at least in part) measured by a clock ticking just hours and days — not weeks.