WASHINGTON—A growing number of credit unions are expected to report data breaches in the coming weeks as new details emerge about the ransomware attack on Marquis Software Solutions, a third-party marketing and data-management vendor serving hundreds of financial institutions, according to multiple disclosures and media reports.
TechCrunch reported that Marquis has begun notifying “dozens” of U.S. banks and credit unions that customer data was stolen in its August 14 cyberattack, now confirmed by the company as a ransomware incident. State filings reviewed by TechCrunch show at least 400,000 individuals already identified as affected across Iowa, Maine, Texas, Massachusetts, and New Hampshire, with that figure expected to rise as more notifications are submitted.
Marquis, which works with more than 700 financial institutions, said attackers exploited a zero-day vulnerability in its SonicWall firewall to access files containing names, dates of birth, addresses, account numbers, card data, and Social Security numbers.
Credit-union impacts are beginning to surface. As CUToday.info reported on Dec. 1, CoVantage Credit Union disclosed that approximately 160,000 of its members may have had sensitive information accessed after Marquis detected suspicious activity and confirmed a system intrusion on Aug. 14. Marquis told CoVantage the breach was contained to the vendor’s environment and did not involve the credit union’s internal systems. The vendor’s investigation and forensics review led to client notifications beginning Oct. 27, with state attorneys general formal notices filed starting Nov. 26.
Now Claim Depot is reporting a second credit union victim: $754-million Maine State Credit Union, based in Augusta. According to a disclosure filed with Maine’s attorney general on Dec. 2, Marquis confirmed that 38,334 Maine residents tied to the credit union were affected. The investigation found that ransomware actors accessed Marquis’ network through the SonicWall vulnerability, potentially acquiring files containing names, addresses, phone numbers, dates of birth, Social Security numbers, Taxpayer Identification Numbers, and financial account information. Marquis engaged cybersecurity experts, notified federal law enforcement, and by late October had begun informing affected business customers, Claim Depot stated.
Given Marquis’ extensive client base and the scope of data stored across its systems, TechCrunch reported that the number of impacted individuals—and institutions—is likely to expand as additional state filings appear.