Marquis, a US-based technology company providing data analytics and visualisation tools to hundreds of banks, has disclosed that a ransomware attack from August 2025 resulted in the theft of personal and financial data belonging to a minimum of 672,075 people.
At the time of writing, the company, which is based in Plano, Texas, was in the process of notifying affected individuals, according to a listing filed with Maine's attorney general's office. Additionally, a separate filing indicates that more than half of those affected reside in Texas.
Furthermore, the stolen data includes banking customers' names, dates of birth, and postal addresses, as well as financial information, including bank account, debit, and credit card numbers. Social Security numbers were also taken, according to Marquis. The disclosure represents the first detailed account of the breach's scale, which had not been previously reported.
Firewall vulnerability and legal action
Marquis filed a lawsuit in February 2026 against SonicWall, its firewall provider, alleging security failings that enabled the attack. According to the lawsuit, SonicWall created a vulnerability that allowed hackers to steal firewall configuration backup files, including those belonging to Marquis. The company alleges that this access was then used to compromise its network, exfiltrate data, and deploy ransomware.
The incident highlights the systemic risk that third-party technology providers can introduce into financial services supply chains. Because Marquis serves hundreds of banks as a centralised analytics platform, a single breach at the vendor level exposed customer data held across multiple institutions simultaneously, a pattern consistent with the FCA's recent observation that over 40% of cyber incidents reported to UK regulators in 2025 involved a third party. Similar issues can be identified across the US as well, with recent data suggesting that, in 2024, 35.5% of all data breaches were third-party related.
When previously contacted to expand on this, Marquis did not respond to a request for comment.
