Marquis Software Solutions Data Breach: Over 400,000 Customers Affected Across 74 US Banks and Credit Unions

A major cybersecurity incident is underway in the financial sector. Marquis Software Solutions, a leading financial software solution provider, has confirmed a data breach where sensitive information of dozens of banks and credit unions all over the United States is compromised.

Marquis, which offers data analytics, CRM tools, compliance reporting, and digital marketing services to more than 700 financial institutions, has started to notify state regulators about the incident. Filings with US Attorney General offices show the breach resulted from a ransomware attack on August 14, 2025.

The Scope of the Breach: What Was Stolen?

The investigation into the attack found that hackers got into the Marquis network by taking advantage of a weakness in its SonicWall firewall. Cybercriminals were able to steal files with sensitive personal information about Marquis's banking clients' customers because they were able to get in without permission.

A notice sent to the Maine Attorney General's office said that the stolen files had a lot of Personally Identifiable Information (PII). The data that may have been exposed includes:

• Full Names

• Physical Addresses

• Phone Numbers

• Social Security Numbers (SSNs)

• Taxpayer Identification Numbers

• Dates of Birth

• Financial Account Information (excluding security/access codes)

  

Marquis says there is no proof that the data has been published or misused yet, but reports say the company may have taken financial steps to stop the leak. Comparitech says that Community 1st Credit Union filed a report that has since been deleted. It said that "Marquis paid a ransom shortly after 08/14/25" to stop the misuse of stolen data.

List of Affected Banks and Credit Unions

Current filings in Maine, Iowa, and Texas indicate that over 400,000 customers have been impacted. The following 74 institutions have been identified as affected by the Marquis Software Solutions breach:

• 1st Northern California Credit Union

• Abbott Laboratories Employees Credit Union

• Advantage Federal Credit Union

• Agriculture Federal Credit Union

• Alltrust Credit Union

• BayFirst National Bank

• Bellwether Community Credit Union

• C&N Bank

• Cape Cod Five

• Capital City Bank Group

• Central Virginia Federal Credit Union

• Clark County Credit Union

• Community 1st Credit Union

• Community Bancshares of Mississippi, Inc.

• Cornerstone Community Financial Credit Union

• CPM Federal Credit Union

• CSE Federal Credit Union

• CU Hawaii Federal Credit Union

• d/b/a Community Bank

• Discovery Federal Credit Union

• Earthmover Credit Union

• Educators Credit Union

• Energy Capital Credit Union

• Fidelity Cooperative Bank

• First Community Credit Union

• First Northern Bank of Dixon

• Florida Credit Union

• Fort Community Credit Union

• Founders Federal Credit Union

• Freedom of Maryland Federal Credit Union

• Gateway First Bank

• Generations Federal Credit Union

• Gesa Credit Union

• Glendale Federal Credit Union

• Hope Federal Credit Union

• IBERIABANK (n/k/a First Horizon Bank)

• Industrial Federal Credit Union

• Interior Federal Credit Union

• Interra Credit Union

• Jonestown Bank & Trust Co.

• Kemba Financial Credit Union

• Liberty First Credit Union

• Maine State Credit Union

• Market USA FCU

• MemberSource Credit Union

• Michigan First Credit Union

• MIT Federal Credit Union

• New Orleans Firemen's Federal Credit Union

• New Peoples Bank

• Newburyport Five Cents Savings Bank

• NIH Federal Credit Union

• Pasadena Federal Credit Union

• Pathways Financial Credit Union

• Peake Federal Credit Union

• Pelican Credit Union

• Pentucket Bank

• PFCU Credit Union

• QNB Bank

• Security Credit Union

• Seneca Savings

• ServU Credit Union

• StonehamBank Cooperative

• Suncoast Credit Union

• Texoma Community Credit Union

• Thomaston Savings Bank

• Time Bank

• TowneBank

• Ulster Savings Bank

• University Credit Union

• Valley Strong Credit Union

• Westerra Credit Union

• Whitefish Credit Union

• Zing Credit Union

How Marquis Is Responding to the Attack

In its official notifications, Marquis told regulators that it has "taken steps to reduce the risk of this type of incident." The company's public statement was short, but CoVantage Credit Union's filing with the New Hampshire Attorney General gave more detailed information about the steps being taken to fix the problem.

Marquis has enhanced its security controls by implementing the following measures:

1. Firewall Hygiene: Making sure that all firewall devices have the latest patches and updates.

2. Managing credentials: means changing passwords for local accounts and getting rid of old or unused accounts.

3. Stronger Authentication: Making sure that all firewall and VPN accounts use Multi-Factor Authentication (MFA).

4. Better Monitoring: Keeping logs for firewall devices for longer periods of time.

5. Access Control: Setting up account lock-out rules for failed login attempts at the VPN level.

6. Geo-Blocking: Using Geo-IP filtering to only let connections from countries that are important to your business.

7. Botnet Protection: Automatically blocking connections to known Botnet Command and Control servers.

The Role of SonicWall Vulnerabilities and Akira Ransomware

The security improvements above make it likely that the bad guys got in through a SonicWall VPN account. This fits with what we know about how ransomware groups work, especially the Akira ransomware group.

Since the start of September 2024, Akira has been trying hard to get into corporate networks by breaking into SonicWall firewalls. The group first used the Critical CVE-2024-40766 vulnerability to steal VPN usernames, passwords, and even the "seeds" that are used to make one-time passcodes (OTPs).

Fixing the bug wasn't always enough. After patching, a lot of companies didn't change their VPN passwords, which let Akira get back into networks with data they had already stolen. According to recent reports, the group can get into SonicWall VPN accounts even when MFA is turned on. They probably do this by using stolen OTP seeds. Once inside, Akira quickly looks over the network, raises his rights in Windows Active Directory, and steals data before encrypting the systems.

What Impacted Customers Should Do

If you have an account with one of the banks or credit unions listed above, you should check it often for any strange activity. Watch for official letters from your bank or credit union about a breach. These letters might offer services to help you keep an eye on your credit and protect your identity.