Ransomware Attack on Marketing Vendor Marquis Software Solutions Leads to Major Data Breach for U.S. Banks and Credit Unions
Supply Chain Breach at Vendor Marquis Exposes Data From Dozens of US Banks
Impact Scope
People Affected
Tens of thousands (at least 42,784 in Maine alone)
Industries Affected
Geographic Impact
Related Entities(initial)
Other
Full Report(when first published)
Executive Summary
A significant supply chain data breach has impacted the U.S. financial sector following a ransomware attack on Marquis Software Solutions, a Texas-based marketing vendor. On November 26, 2025, Marquis began informing its clients—dozens of U.S. banks and credit unions—that a network intrusion first detected on August 14, 2025, resulted in the compromise of sensitive customer data. The exposed information includes names, Social Security numbers (SSNs), financial account information, and other PII. This incident is a classic supply chain attack where the vendor, not the financial institutions themselves, was the point of failure. The breach affects a large number of individuals, with one filing indicating over 42,000 victims in Maine alone. Marquis is working with law enforcement and providing identity theft protection services to those affected.
Threat Overview
The attack targeted Marquis Software Solutions, which provides data analytics and marketing services to financial institutions. By compromising this single vendor, the attackers gained access to a treasure trove of aggregated customer data from many different banks. The incident was identified as a ransomware attack, which implies a double-extortion scenario: attackers likely exfiltrated the data before encrypting Marquis' systems. The long delay between the detection in August and the public notification in November is concerning and may have given attackers ample time to misuse the stolen data. The compromised data is of the highest sensitivity, making it extremely valuable on the dark web for identity theft, financial fraud, and targeted phishing campaigns.
Technical Analysis
The initial vector for the ransomware attack on Marquis is unknown but likely involved common methods such as a phishing email, exploitation of an unpatched vulnerability, or compromised remote access credentials. The attack chain would have followed a standard pattern:
- Initial Access: Gaining a foothold in the Marquis network.
- Discovery & Lateral Movement: Mapping the network to locate the servers and databases storing client data (
T1213 - Data from Information Repositories). - Collection & Staging: Aggregating large volumes of sensitive customer data from various sources into a centralized location for exfiltration.
- Exfiltration: Transferring the stolen data out of the network to an attacker-controlled server (
T1048 - Exfiltration Over Alternative Protocol). - Impact: Deploying ransomware to encrypt Marquis' systems to extort a payment (
T1486 - Data Encrypted for Impact).
The core of this incident from the banks' perspective is a failure of third-party risk management, falling under T1199 - Trusted Relationship, where the trust placed in Marquis was exploited.
MITRE ATT&CK Techniques Observed:
T1199 - Trusted Relationship: The core of the supply chain attack, where banks were impacted via their vendor.T1213 - Data from Information Repositories: Attackers targeted and stole data from Marquis' databases.T1567 - Exfiltration Over Web Service: A likely method for exfiltrating terabytes of customer data.T1486 - Data Encrypted for Impact: The attack was identified as a ransomware incident.
Impact Assessment
The impact on the affected bank customers is severe. The theft of SSNs, financial account information, and other PII puts them at high risk of identity theft, loan fraud, and account takeovers for years to come. For the affected banks and credit unions, such as CoVantage Credit Union, the incident causes significant reputational damage and erodes customer trust, even though their own systems were not breached. They will also face increased operational costs from customer support and fraud monitoring. For Marquis, the financial and legal repercussions will be substantial, including the cost of recovery, potential lawsuits from both clients and individuals, and a devastating loss of business. This event is a powerful illustration of the systemic risk inherent in modern digital supply chains.
Cyber Observables for Detection
For financial institutions to detect potential breaches at their vendors:
Detection & Response
Financial institutions often have limited visibility into their vendors' security, making direct detection difficult. The primary 'detection' method is often the breach notification from the vendor itself. However, organizations can be more proactive. Continuous monitoring of third-party risk through specialized services can provide early warnings. Response to a vendor breach involves activating the incident response plan, communicating clearly with customers, providing them with credit monitoring and support, and reviewing the legal and contractual relationship with the compromised vendor. Internally, security teams should monitor for any signs that the breached data is being used to target their own systems or customers (e.g., in sophisticated phishing campaigns).
Mitigation
- Third-Party Risk Management (TPRM): Implement a robust TPRM program. This includes comprehensive security assessments during vendor onboarding, requiring security certifications (e.g., SOC 2), and including strong security clauses, audit rights, and breach notification SLAs in all contracts.
- Data Minimization: Only share the absolute minimum amount of customer data necessary for the vendor to perform its function. Question whether a marketing vendor truly needs access to SSNs and full account numbers.
- Data Encryption: Mandate that any shared sensitive data be encrypted by the vendor, both at rest and in transit.
- Incident Response Planning: Develop and test incident response playbooks specifically for supply chain breaches. These should outline steps for communication, customer support, and legal action.
- Continuous Monitoring: Use services to continuously monitor the security posture of critical vendors and receive alerts on emerging risks.
Timeline of Events
Article Updates
November 30, 2025
Co-Vantage Credit Union confirms 160,000 members affected by Marquis breach, with new details on discovery timeline and legal actions.
Update Sources:
December 8, 2025
Akira ransomware gang suspected in Marquis Software breach, impacting over 400,000 customers across 74 banks via SonicWall vulnerabilities.
Update Sources:
MITRE ATT&CK Mitigations
Only provide vendors with the absolute minimum data required for their services to limit the impact of a potential breach.
Contractually require vendors to encrypt all sensitive customer data at rest and in transit.
Mapped D3FEND Techniques:
Establish a TPRM program that includes regular security audits and reviews of critical vendors' security controls.
D3FEND Defensive Countermeasures
The Marquis breach highlights the critical need for data minimization in supply chains. Financial institutions must adopt a 'Data-in-use Minimization' strategy. Before sharing any data with a third-party vendor like Marquis, a rigorous review must determine the absolute minimum dataset required for the service. For a marketing vendor, it is highly unlikely that raw SSNs or full account numbers are necessary. By providing only tokenized or pseudonymized data, banks can drastically reduce the impact of a vendor compromise. The most sensitive data never leaves the bank's control, rendering a breach at the vendor far less damaging to customers.
This incident is a textbook case for implementing robust Third-party Risk Monitoring. Financial institutions cannot afford a 'set it and forget it' approach to vendors. They must use continuous monitoring services (e.g., SecurityScorecard, BitSight) to track the external security posture of critical vendors like Marquis. This includes monitoring for new vulnerabilities, misconfigurations, and dark web chatter. Contractual agreements must include the right to audit and demand evidence of security controls. A low security score or a failure to provide evidence should trigger a risk review and potentially lead to offboarding the vendor before a breach occurs.
To protect data shared with vendors like Marquis, banks should enforce client-side File Encryption. Before transferring any files containing customer PII, the data should be encrypted using a key that the bank controls. The vendor would then process the data in an environment that supports decryption for processing, but the data at rest on the vendor's systems would remain encrypted. This ensures that even if an attacker gains access to the vendor's file storage, as happened in the Marquis ransomware attack, the data they steal is encrypted and useless without the bank's key. This control shifts the security posture from relying on the vendor's perimeter to protecting the data itself.
Timeline of Events
Marquis Software Solutions first detects the network intrusion and ransomware attack.
Marquis begins sending data breach notifications to affected individuals on behalf of its financial institution clients.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats