The sensitive personal and financial information of 672,075 people was compromised during the August 2025 Marquis cyberattack, which was previously misattributed to a Russian ransomware gang.
At the time, the security incident reportedly affected at least 74 banks and credit unions. Marquis provides marketing and compliance tools to over 700 banks and credit unions.
The stolen personal information included names, dates of birth, and postal addresses, as well as financial information such as bank account numbers and credit card numbers.
Similarly, government-issued IDs such as Social Security Numbers and Taxpayer Identification Numbers were also compromised during the attack, putting victims at risk of identity theft and fraud.
Marquis ransomware attack affected over 670,000 people
Marquis said it learned of the data breach after detecting suspicious activity on August 14, 2025, and launched an investigation involving cybersecurity firm Mandiant. In December 2025, the company determined that 400,000 people and 74 financial institutions were affected.
However, a recent disclosure filed with the Office of the Maine Attorney General revised the number upwards to at least 672,075 people.
The data breach also affected people who had not directly transacted with the company but had engaged with third parties who had access to the company’s systems.
At the time, Marquis said the data breach affected 5% of its clients who used its cloud backup systems. However, the new disclosure states that the security incident only affected its systems, but not its customers’.
“The investigation determined that an unauthorized third party accessed our network and may have copied certain files from our systems. The incident was limited to Marquis’s systems and did not affect our customer’s systems,” the company stated.
Meanwhile, Marquis is offering 12 months of identity theft protection services with Epiq Privacy Solutions ID. The company also believes the stolen information has not been misused.
Marquis had reportedly paid a ransom to prevent the ransomware gang from leaking the stolen information online. Nevertheless, it advised impacted individuals to monitor their financial accounts and credit reports for any suspicious activity and report any anomalies.
“Previously (in November 2025), Marquis notified 42,784 people in Maine about this data breach, whereas this new one is for 96 Maine residents only (672,075 in total across the US),” said Rebecca Moody, Head of Data Research at Comparitech. “So, it looks like this is likely to be a supplemental breach, which will significantly increase the number of people impacted in this breach to over 2.3 million.”
“Sometimes, figures can be adjusted as investigations develop, but, because of the significant difference in the number of people notified between these two breaches, I don’t think this is the case. In its first notification, Marquis also included a list of entities it was issuing the notification on behalf of, but this isn’t included in this latest update,” added Moody.
State-sponsored threat actor, not the Akira ransomware gang
In early 2025, a password attack involving over 2.8 million IP addresses targeted firewall and VPN devices, including Palo Alto Networks, Ivanti, and SonicWall.
At the time, some security experts linked the Marquis cyber attack to the Russian ransomware gang Akira, which was observed exploiting SonicWall’s security vulnerability CVE-2024-40766 to harvest VPN login credentials and one-time passwords (OTPs) to bypass multi-factor authentication (MFA).
Nevertheless, Marquis attributed the cyber attack to a state-sponsored threat actor and disputed the Akira ransomware gang’s involvement.
“The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor – was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” the company stated. “The incident is unrelated to ongoing global Akira ransomware attacks on firewalls and other edge devices.”
Marquis also claimed that the cyber attack did not impact SonicWall products or firmware, or disrupt the firewall provider’s other tools or customer networks.
At the time, the ransomware gang had reportedly targeted SonicWall Generation 7 firewalls with the SSLVPN feature enabled. The firewall provider responded by releasing security fixes and advising organizations that could not patch their devices to turn the feature off to avoid exploitation. Marquis also advised its customers to reset their SonicWall account credentials.
However, the company had sued SonicWall in the U.S. District Court for the Eastern District of Texas for allegedly failing to secure the system, allowing the ransomware gang to steal system configuration settings. The company also faces at least 36 class-action lawsuits stemming from the 2025 ransomware attack.
Nevertheless, the fintech company said SonicWall responded professionally and applied the recommendation of its investigation. The firewall provider also made business concessions to offset the financial burden associated with the cyber attack.
