Marquis Software Solutions, a Texas-based fintech vendor that provides services to banks and credit unions, says a ransomware attack it suffered in August 2025 was triggered by a security failure at one of its key technology providers, SonicWall.
According to Marquis, threat actors were able to exploit a compromise involving SonicWall’s MySonicWall cloud backup service, which the company used to store firewall configuration backups. Marquis believes the attackers obtained sensitive firewall configuration data and credentials from that service, then leveraged the stolen information to bypass Marquis’s firewall protections and gain unauthorized access to its internal network. Once inside, the attackers deployed ransomware and accessed sensitive systems and data.
In customer notifications, Marquis said it is now evaluating options to recover incident response and related costs from SonicWall, signaling the possibility of contractual or legal action tied to the breach.
SonicWall Cloud Backup Breach
SonicWall previously disclosed a cloud backup security incident in September 2025, initially stating that roughly 5% of customers were affected. Subsequent updates revealed that attackers had accessed cloud backup files belonging to a much broader set of users, prompting SonicWall to issue guidance that included credential resets for MySonicWall accounts and other mitigation steps.
Investigators, including cybersecurity firms retained by SonicWall, have said the incident involved unauthorized access to cloud backup data through API interactions. The activity has been linked to a state-sponsored threat actor, though SonicWall has not confirmed whether the same group was responsible for the ransomware attack against Marquis.
How the Attack Unfolded
- August 14, 2025: Marquis detected suspicious activity on its network, which was later confirmed to be a ransomware incident.
- Attackers allegedly used firewall configuration details obtained from SonicWall cloud backups to evade perimeter defenses and establish access to Marquis’s systems.
- Once inside the environment, they deployed ransomware and accessed sensitive information stored by the company.
Who Was Affected?
The impact extended beyond Marquis itself, creating significant downstream risk for its customers:
- More than 74 U.S. banks and credit unions were affected because Marquis’s systems handled data on their behalf.
- Reports indicate that hundreds of thousands of individuals’ personal records were exposed, including names, contact information, and Social Security or tax identification numbers. Some estimates place the total number of affected individuals at over 780,000.
Key Issues and Broader Implications
The incident highlights the growing supply-chain risk in cybersecurity, where a breach at a third-party provider can directly enable an attack on downstream customers. In this case, compromised firewall backup data appears to have given attackers a roadmap into Marquis’s environment.
It also underscores how attackers increasingly rely on legitimate configuration data and credentials to “walk through the front door,” rather than using traditional malware exploits to force their way in.
What Remains Unclear
Several questions remain unanswered:
- The exact identity of the attackers behind the SonicWall cloud backup breach has not been publicly confirmed.
- It is still unclear whether the same threat actor was responsible for both the SonicWall incident and the ransomware attack on Marquis.
- There has been no public disclosure about whether the ransomware group involved will be identified, charged, or otherwise held accountable.
