A data breach affecting more than 780,000 individuals has been confirmed by Marquis Software Solutions, a Texas-based fintech provider that works with over 700 banks and credit unions across the US.
The incident began on August 14, when attackers broke into the company’s network by exploiting a SonicWall firewall vulnerability. After discovering the intrusion, Marquis reportedly shut down affected systems and brought in outside cybersecurity specialists to investigate.
The Marquis review, completed in late October, found that unauthorized actors accessed and copied files containing personal and financial information from certain business customers.
“Marquis is the most recent example of how third-party concentration poses a systemic danger to the financial services industry,” said Noelle Murata, security engineer at Xcape.
“A single mid-tier vendor sitting in the data flow of numerous banks can instantly create a blast radius on a national scale.”
Although the company has not observed signs of identity theft or fraud linked to the incident, filings show that at least 74 banks and credit unions were impacted.
Read more on SonicWall vulnerabilities: Uptick in Akira Ransomware Actors Targeting SonicWall VPNs
Newly filed notifications across Maine, Texas and Iowa detail how the breach unfolded and how widely its effects spread.
One now-removed filing from Community 1st Credit Union also suggested Marquis paid a ransom shortly after the attack to stop the data from being leaked, although the company has not addressed this claim.
Information Released By Authorities
The aforementioned filings confirm that customers across multiple states were affected and that similar categories of personal data were involved, including names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, and bank or card details.
Marquis is offering free credit monitoring and identity protection services for one or two years.
Following the attack, the company also said it introduced a series of security improvements, including:
-
Ensuring all firewall devices are fully patched
-
Rotating local account passwords
-
Deleting unused accounts
-
Enabling multi-factor authentication (MFA) on all firewall and VPN accounts
-
Increasing firewall logging retention
-
Adding VPN lock-out rules for repeated failed logins
-
Applying geo-IP filtering for approved countries
-
Blocking connections to or from known botnet command servers
“The remediation list tells the real story,” commented Suzu Labs CEO, Michael Bell.
“These are all controls that should have been in place before a zero-day was a factor. A zero-day gets attackers in the door, but basic security hygiene determines how far they can go once inside.”
Security researchers have also linked recent SonicWall-related breaches to the Akira ransomware group, though no group has claimed responsibility in this case.
Marquis says the investigation is ongoing and the company has not found evidence that the stolen data has appeared online at the time of writing.