Marquis Software Solutions experienced a data breach affecting approximately 780,000 individuals, according to filings with the Office of the Maine Attorney General, the Office of Attorney General of Iowa, and more. According to the filing in Maine, suspicious activity was detected on the organization’s systems on Aug. 14. This activity was determined to be a ransomware attack. 

Upon the launch of an investigation, it was discovered that the malicious actor accessed its network via its SonicWall firewall and may have acquired certain files. Personal data at risk may include:

• Names
• Dates of birth
• Addresses 
• Phone numbers
• Taxpayer Identification Numbers
• Financial account data 
• Social Security numbers

At this time, there is no evidence that the data has been misused. 

Security Leaders Weigh In

David Stuart, Cybersecurity Evangelist at Sentra: 

Although the initial access in this incident came from a firewall vulnerability, the real damage occurred once attackers reached sensitive data. Breaches like this show how important it is to prevent credentials and encryption keys from being stored in unprotected locations or in unmasked forms. When secrets are exposed, attackers can move quickly and gain access to high-value information.

Organizations also need continuous visibility into where sensitive data lives and how it is being accessed. Detecting credit card numbers, Social Security numbers and other regulated data across all environments and validating that it is properly protected can significantly reduce occurrence of compliance violations and the impact of a compromise. Continuous monitoring for unusual data activity, such as unexpected access by third parties or unfamiliar IPs, is another key safeguard.

Strong password practices and timely patching will always matter, but reducing the blast radius requires a data-centric approach that limits what attackers can reach even if they do get in.

Sachin Jade, CPO at Cyware: 

Personal data focused exploitation attacks are ever increasing. Threat actors are employing both old and new techniques to breach, steal and misuse personal data.

In an increasingly connected world, financial firms are targeted by multiple threat vectors looking for gaps in their defenses, exacerbated with threat actors leveraging AI as well. Fraud and personal credential and data need to be an integral part of the overall risk and exposure management strategy.

Operationalizing threat intelligence data is paramount. Enterprises, including financial firms, can evaluate and incorporate a capability maturity model (CCM) that can enable them to leverage different threat intelligence data, correlate with identity and personalized data, evaluate value at risk, leverage trusted AI models and develop scenarios to help determine potential mitigation.

Clyde Williamson, Senior Product Security Architect at Protegrity: 

When we sign a contract with a vendor, partner or service provider, it is tempting to believe we have offloaded a problem. This is a critical flaw in business thinking today. We haven’t offloaded the problem, we’ve distributed the risk.

The Marquis breach could be framed as a simple technical failure. Their SonicWall firewall got hit; that’s the cost of business. Casting this as a “firewall issue,” though, misses the point entirely. I’m asked to comment on these sorts of events weekly. This is an ontological failure across our industry.

Hundreds of banks told their customers, “Trust us,” and then extended that trust to Marquis without their customers’ consent. Unlike formal logic, trust in cybersecurity cannot be simply passed along a chain of command. Banks believe they’re outsourcing work but actually retain liability while losing control. The lesson: failure to audit the entire trust chain betrays the customer, who only cares that their bank did not protect them.

The attackers lived inside the Marquis environment from August to October. Two months. We continue to build security doctrines around “walls” in an era where data isn’t in one place for long. A wall is a static, binary defense. It says “Yes” or “No” at the gate. Once the gate is breached, like with SonicWall, the wall offers no further opinion. This “dwell time” is the death knell of infrastructure-centric security. If we do not have intelligent, data-centric security in which the data itself can ask, “Why am I being moved?”, then we are simply building taller walls.

The real problem, though, is the asymmetry of the situation as a whole. The most impacted group, the customer, has little to no say in what happened to their data. The banks have the paper cover of a contract, and they can point the finger at someone else. Marquis will probably pay a little fine to a couple of states and offer some credit monitoring to the victims. Of course, some of the most common abuses of PII data (like what was stolen) aren’t solved by credit monitoring. Attackers who use the collected information to build personalized social engineering attacks will be harvesting value by abusing victims for years, long after the pittance of 24 months of credit monitoring has passed, while the banks and Marquis have enjoyed another profitable quarter. Profit is privatized, and Risk is socialized. The vendor saves money on “efficient” architectures, while the public pays the price in perpetuity.

Until we treat data as a liability to be protected, not an asset, this will continue. The core takeaway for every CISO: lasting trust cannot be bought or outsourced. It demands active stewardship, accountability and constant responsibility.