Fintech firm Marquis blames hack at firewall provider SonicWall for its data breach

Fintech company Marquis has told customers that it intends to seek compensation from its firewall provider after blaming the vendor for a security failure that led to the theft of customers’ personal and financial data.

In a memo shared with customers this week and reviewed by TechCrunch, Marquis said it believes its August 2025 ransomware attack occurred after its firewall provider, SonicWall, suffered a separate data breach that exposed sensitive security details related to customer firewalls. According to Marquis, the earlier SonicWall breach allowed attackers to obtain the credentials needed to carry out the ransomware attack against Marquis.

The company said a third-party investigation found that hackers accessed information about Marquis’ firewall during the SonicWall breach and used it to bypass its network defences. Marquis also confirmed that it stored a backup of its firewall configuration file in SonicWall’s cloud environment.

In the memo, Marquis said the company is “evaluating its options” regarding its relationship with SonicWall, including efforts to recover costs related to the incident. This includes “the recoupment of any expenses spent by Marquis and its customers in responding to the data incident,” the company said.

When contacted for comment, Hanna Grimm, a spokesperson representing Marquis, did not dispute the contents of the memo but reiterated the company’s position that its breach was linked to an earlier compromise at SonicWall.

“In September 2025, after the data security incident affected our systems, our firewall service provider, an industry-leading cybersecurity company, publicly disclosed that a threat actor had earlier in the year gained unauthorized access to its cloud backup service,” the statement said.

“Marquis had recently begun using this provider’s firewalls to help protect our network,” the spokesperson added. “While the provider initially reported that fewer than 5% of customers were affected, it later clarified in October 2025 that firewall configuration data and credentials associated with all customers using the cloud backup service, including Marquis, had been accessed.”

SonicWall disputed the claim that its breach directly led to the attack on Marquis. In a statement to TechCrunch, SonicWall spokesperson Bret Fitzgerald said the company has asked Marquis to provide evidence supporting the allegations and said it remains engaged with its customer.

“We have no new evidence to establish a connection between the SonicWall security incident reported in September 2025 and ongoing global ransomware attacks on firewalls and other edge devices,” Fitzgerald said.

Texas-based Marquis provides data visualisation services to hundreds of banks and credit unions, allowing them to analyse customer information. The company began notifying hundreds of thousands of individuals last month that their data had been compromised in the ransomware attack.

Marquis has access to large volumes of sensitive consumer banking data across the United States, including personal details, financial information, and Social Security numbers, all of which the company said were stolen by the attackers.

SonicWall acknowledged in October that an earlier breach of its systems had affected all customers of its cloud-based firewall backup service. The company had previously stated that only a small portion of customers’ firewall configuration files, which contain policies and settings, were accessed by hackers.

In its communication to customers, Marquis said it had also engaged an external firm to investigate whether an unpatched vulnerability in its own systems could have been responsible for the breach. The investigation concluded that the patch in question addressed a flaw that was not exploitable in a way that would have allowed attackers to access Marquis’ data.

Marquis declined to disclose how many individuals have been affected by the breach. That number is expected to increase as additional data breach notifications are filed with state attorneys general.

Do you know more about the Marquis data breach? Do you work at Marquis or at an organization affected by the incident? The reporter can be contacted securely via Signal using the username zackwhittaker.1337.