Marquis Software Solutions sues SonicWall over ransomware breach impacting 74 US banks

Marquis Software Solutions has filed a lawsuit against cybersecurity firm SonicWall, alleging gross negligence and misrepresentation tied to a ransomware attack that disrupted operations at 74 U.S. banks and exposed sensitive personal data. The complaint centers on a breach discovered Aug. 14, 2025, when hackers infiltrated Marquis’ network after compromising a SonicWall firewall.

Marquis Software Solutions, a provider of data analytics, customer relationship management tools, compliance reporting and digital marketing services to more than 700 banks, credit unions and mortgage lenders, said the attackers stole files containing personal information received from its business partners. The exposed data included names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers and financial account details.

Initially, the breach was believed to stem from an unpatched firewall vulnerability. In January 2026, Marquis formally accused SonicWall of security failures after determining that its firewall had been fully updated at the time of the attack. Multi-factor authentication was enabled and additional security controls were in place, the company said.

Marquis contends that the attackers instead leveraged configuration data extracted from SonicWall’s MySonicWall cloud backup infrastructure. The lawsuit alleges that a security gap introduced in February 2025 through an API code change in the MySonicWall cloud backup service allowed unauthorized access to firewall configuration backup files stored in SonicWall’s cloud environment.

Those backup files contained AES-256 encrypted credentials, configuration data and multi-factor authentication scratch codes. Marquis asserts that the exposed information enabled the threat actor to bypass security protections and compromise its firewall despite safeguards being active.

SonicWall disclosed the cloud backup incident three weeks after it was introduced and initially estimated that approximately 5% of its customer base was affected. The company later confirmed that all clients were impacted. An investigation conducted by incident response firm Mandiant concluded that the ransomware attack was carried out by state-sponsored hackers.