Marquis Software Solutions, a Plano, Texas-based vendor serving hundreds credit unions and banks, reported last week that its 2025 ransomware attack affected 672,075 individuals.
The cyberattack, detected in August 2025, exposed personal information of members and customers, but Marquis did not notify the financial institutions until Oct. 27 and Nov. 25. At the time, the number of affected individuals was unknown, though cybersecurity experts, law firms and state regulators estimated between 700,000 and 1.3 million persons may have been impacted.
A Marquis data breach notification indicated the company knew as early as Dec. 2 that 672,075 credit union members and banking customers were affected – the same date it mailed notifications to consumers. That information did not become public until March 17, when Marquis filed its data breach notification with the Maine Attorney General's Office.
Nevertheless, as early as November, Marquis was working with financial institutions to send data breach notices to credit unions and banks. At the time, Maine officials also published a list of 67 affected financial institutions, including 47 credit unions and 20 banks banks that were affected by the breach.
On Jan. 30, 2026, the $1 billion 1st MidAmerica Credit Union in Bethalto, Ill., reported to Maine's AG office that 131,070 individuals may have been affected by the breach at Marquis, which provides financial institutions with marketing and communications services. The credit union currently serves more than 63,000 members.
According to Marquis' forensic investigation, the files potentially accessed by an unauthorized party included personal information such as names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information – excluding security or access codes – and dates of birth.
The investigation also revealed that an unauthorized third party accessed Marquis' network through its "SonicWall firewall" on Aug. 14, but this incident was limited to the vendor's systems and did not affect the IT systems at credit unions and banks.
Marquis is offering affected individuals free ID protection services.
The breach is also expected to lead to prolonged legal challenges.
The $283 million New Orleans Firemen's Federal Credit Union (NOFFCU), which serves more than 26,000 members, filed a breach of contract lawsuit against Marquis in January.
In addition to allegedly failing to protect the credit union's information, including members' personal information, the credit union said Marquis waited two months to notify its customers, worsening the harm. NOFFCU's is seeking damages, the recission of its contract with Marquis, restitution of fees the credit union paid and trade-secret remedies. The lawsuit did not indicate how many of its members may have been impacted by the breach.
What's more, at least 13 credit unions were listed as co-defendants with Marquis, in 22 civil lawsuits filed by individuals from Dec. 2, 2025, to Jan. 30, 2026, according to Justia, an online legal information service.
In February, Marquis filed a lawsuit against SonicWall Inc. in Milpitas, Calif., seeking to recover the damages tied to the breach. The vendor claimed in August 2025 the data incident occurred after a threat actor bypassed SonicWall's firewall using credentials and configurations taken during a separate data breach that SonicWall experienced for several months last year.
Marquis said it investigated how the threat actor accessed SonicWall's network despite its safeguards, including firewalls and multi-factor authentication.
By October 2025, SonicWall had previously announced that sometime in 2025 it suffered a data breach that impacted only 5% of its customers, according to Marquis' lawsuit. However, SonicWall assured Marquis that it was not one of them SonicWall revealed that the data breach affecting its cloud backup service had exposed to threat actors firewall configuration files and credentials for all SonicWall customers who used the company's cloud backup service, which included Marquis.
In November 2025, SonicWall allegedly admitted to Marquis that the SonicWall cloud data breach had been ongoing since February 2025, when SonicWall made a code change to its application programming interface (API) that created a vulnerability exploitable by threat actors, according to Marquis. SonicWall's cloud backup breach provided threat actors with critical data, including credentials and MFA scratch codes, which enabled them to bypass firewalls and gain access to customer networks.
SonicWall did not respond to CU Times' email and phone requests for comment by its Monday deadline.
Peter Strozniak can be reached at peter.strozniak@arc-network.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.