Fintech firm Marquis has filed a lawsuit against firewall maker SonicWall, alleging security failures in SonicWall’s cloud backup for firewalls enabled hackers to obtain sensitive configuration data and “scratch codes” passcodes later used to launch a ransomware attack on Marquis’ network. The complaint, lodged in the U.S. District Court for the Eastern District of Texas, seeks a jury trial.
The suit centers on a previously disclosed SonicWall breach that exposed customer firewall configuration backup files stored on cloud servers maintained by SonicWall. SonicWall initially said fewer than 5% of backups were exfiltrated before later acknowledging that every customer’s firewall backup files had been stolen. The company has not publicly detailed when attackers first accessed its systems.
Allegations Center On Firewall Backup Exposure
According to Marquis, the ransomware group did not break the firewall; it allegedly used information from SonicWall’s backup service to bypass it. The complaint asserts that backups included configuration details and emergency “scratch codes” used for break-glass access, which the intruders leveraged to enter Marquis’ internal network.
Marquis further claims SonicWall introduced a code change to a customer-facing API months before the breach that created an authentication flaw. The bug allegedly allowed threat actors to access firewall configuration backups by enumerating predictable serial numbers, pulling files “without proper authentication.” SonicWall has not commented on the new allegations.
What Was Stolen And Who Is Affected So Far
Marquis, which helps hundreds of banks and credit unions analyze customer data, says the attackers took personally identifiable information related to customers of some client financial institutions. Stolen data includes names, dates of birth, postal addresses, bank account details, debit and credit card numbers, and Social Security numbers.
The company began notifying affected individuals after discovering its own network intrusion months earlier. Marquis has not disclosed a total number of victims. A filing with the Texas Attorney General lists at least 400,000 impacted individuals across the U.S., a tally expected to rise as additional state notifications post.
SonicWall Under Scrutiny For Cloud Backup Practices
Backups of firewall configurations can be a treasure map for attackers. They often include rulesets, VPN and remote access settings, and emergency access mechanisms. When centralized in a vendor-managed cloud, these backups can create a high-value aggregation point—one compromise can cascade across many customers.
The shifting scope of SonicWall’s breach—first framed as a small fraction of customers and later acknowledged as affecting all backup users—adds pressure on the company to clarify controls around its storage environment and API security. Without timeline transparency, customers and regulators face gaps in understanding exposure windows and risk.
Why Configuration Backups Matter To Ransomware Crews
Ransomware operators increasingly rely on credential theft and misconfiguration, not zero-day exploits. If attackers gain firewall configurations and emergency codes, they can pre-stage access, identify trusted pathways, and neutralize monitoring before detonating payloads. U.S. cybersecurity agencies have repeatedly warned that network appliance backups and admin credentials are prime targets.
Best practices from CISA and NIST stress isolating and encrypting configuration backups, using customer-managed keys, enforcing multifactor authentication for any backup access, and eliminating or tightly controlling break-glass credentials. Regular rotation of device passwords, VPN keys, and emergency codes is critical after any supplier-side breach.
Broader Market And Legal Implications For Vendors
The case spotlights supply chain risk in security tooling itself. High-profile incidents such as the Kaseya ransomware campaign and later identity provider compromises showed how a single vendor foothold can fan out across customers. Here, the alleged blast radius emerged from a defensive product’s cloud backup layer.
The litigation could test where liability sits when vendor-managed cloud services expose customer networks. Contracts around incident notification, audit rights, and recovery assistance will face renewed scrutiny. The stakes are high: Verizon’s 2023 Data Breach Investigations Report found ransomware present in roughly 24% of breaches, while IBM Security’s 2023 study put the average data breach cost at $4.45 million.
What To Watch As The Lawsuit And Response Unfold
Discovery may determine whether an API change and serial-number enumeration were the root cause, and what specific data within the backups enabled the attackers’ move from perimeter to core systems. Financial regulators and state attorneys general are likely to press for clarity on incident timelines and customer impact.
For now, enterprises using any firewall backup service should assume configuration data may be sensitive enough to enable intrusions at scale. Immediate steps typically include rotating all device credentials and emergency codes, regenerating VPN keys, validating backup encryption with customer-controlled keys, and reviewing firewall rules for unauthorized changes.
