Marquis, a Plano, Texas fintech vendor used by hundreds of banks to analyze customer data, says cybercriminals stole personal and financial information belonging to at least 672,075 individuals in a ransomware attack. State filings show more than half of those affected reside in Texas, underscoring the regional concentration of Marquis’s client base and the widespread downstream exposure for bank customers.
The disclosure, reflected in breach notices filed with the Maine attorney general and Texas regulators, offers the clearest tally to date of the incident, which occurred in August 2025. The company says the attackers accessed both sensitive identifiers and account details, elevating the risks of identity theft and fraud for impacted consumers.
What Data Was Compromised in the Marquis Ransomware Breach
According to Marquis, the intruders exfiltrated names, dates of birth, and mailing addresses, along with bank account numbers and debit or credit card numbers. The company also confirmed that Social Security numbers were taken in the breach—data that cannot be reissued and fuels long-term identity fraud, synthetic identity creation, and new-account abuse.
While financial institutions can replace cards and implement enhanced monitoring on accounts, SSNs and other static identifiers carry enduring value on criminal markets. Security researchers and federal agencies, including the FBI’s Internet Crime Complaint Center, have repeatedly warned that modern ransomware groups increasingly pair system encryption with data theft and public leak threats to pressure payment—so-called double extortion tactics.
Scope of the Marquis breach and who is affected
Notification letters indicate at least 672,075 people are being informed, with a majority in Texas. Marquis’s platform supports customer analytics and marketing compliance for community and regional banks, meaning individuals may learn of their exposure through their financial institution even if they have never heard of the vendor itself. This kind of third-party breach is exactly the scenario regulators flag when urging banks to strengthen oversight of service providers.
The 2024 Data Breach Investigations Report by Verizon highlights the prominence of extortion-driven breaches in financially motivated attacks, and IBM’s 2024 Cost of a Data Breach report notes that breaches involving third parties carry higher detection and response complexity. Both dynamics are evident here: a specialized vendor targeted for the valuable data it aggregates on behalf of many banks.
Allegations against SonicWall tied to firewall vulnerabilities
In February, Marquis filed suit against its firewall provider, SonicWall, alleging security lapses that enabled the attackers to steal critical information about Marquis’s firewalls. Marquis claims a SonicWall-created vulnerability allowed theft of firewall configuration backup files, which the attackers then used to penetrate the network, exfiltrate data, and deploy ransomware.
Configuration backups can, in some environments, expose sensitive details about network architecture and authentication, making them a high-value target. While the legal process will determine liability, the allegation highlights a recurring pattern in enterprise intrusions: weaknesses in edge devices or their management workflows can become stepping stones to full network compromise. Similar risks have been spotlighted in advisories from CISA and other agencies urging continuous patching, hardened configurations, and restricted access to backups.
Banking risk and growing regulatory pressure after breach
For banks, the incident is a test of third-party risk management. U.S. banking agencies’ joint guidance on third-party relationships, finalized in 2023 by the Federal Reserve, FDIC, and OCC, emphasizes due diligence on vendors’ security, ongoing monitoring, and clear incident-notification obligations. In parallel, the interagency Computer-Security Incident Notification Rule requires banks to report significant incidents within tight timelines, including disruptive events at bank service providers.
Because Marquis handles consumer financial data, obligations under the Gramm-Leach-Bliley Act Safeguards Rule also come into play. Regulators will be watching how quickly affected institutions notify customers, coordinate card reissuance where needed, and implement enhanced fraud detection. The breadth of stolen data—particularly SSNs—raises the stakes for prolonged monitoring and potential remediation.
Why Ransomware Crews Target Aggregators
Vendors like Marquis aggregate structured, high-fidelity datasets from many institutions, creating a single repository that is extraordinarily attractive to criminal groups. By compromising one analytics provider, attackers can potentially extort multiple organizations and monetize stolen records through identity theft, account takeover, and phishing campaigns tailored with real customer details.
Security teams increasingly treat such vendors as critical infrastructure within their own risk registers, subjecting them to deeper technical assessments, tabletop exercises, and contractual requirements for breach notification, data minimization, and segregation by client. Those controls are designed to prevent a single compromise from cascading across an entire customer base.
What affected individuals can do now to protect themselves
Consumers notified of exposure should consider placing a free fraud alert or credit freeze with the major credit bureaus, review bank and card statements for unfamiliar activity, and enable account alerts and multifactor authentication where available. If SSNs were involved, requesting an IRS Identity Protection PIN and monitoring for new credit inquiries can help blunt identity misuse.
Attackers often follow data theft with targeted phishing. Treat unsolicited emails, texts, and calls with skepticism, especially those invoking urgent banking issues. Verify any outreach using trusted contact channels from the back of your card or official bank statements—not links or numbers in unexpected messages.
Marquis has not publicly detailed whether the attackers published any data on leak sites, a common pressure tactic. Regardless, the combination of personal identifiers and financial information stolen here warrants heightened vigilance for the long term.
