VPN vulnerability leads to data breaches at 70 banks

• Supporting data: At least 70 financial institutions and an estimated 400,000 consumers were affected by the ransomware attack on the third-party vendor.
• Key insight: Patching the SonicWall vulnerability is not enough; administrators must reset passwords as attackers are using stolen credentials to bypass MFA.
• What's at stake: The incident highlights the persistent danger of third-party vendor risk, as the breach occurred entirely outside the banks' internal networks.

Overview bullets generated by AI with editorial review

A ransomware attack on Marquis Software Solutions compromised the personal and financial data of hundreds of thousands of consumers across dozens of community banks and credit unions, highlighting the persistent dangers of third-party vendor risk and unpatched software vulnerabilities.

The breach, which occurred in August, was facilitated by a vulnerability in SonicWall firewalls — a flaw that security researchers warn is being actively exploited by a ransomware group known as Akira. The flaw enables attackers to bypass multifactor authentication when seeking VPN access.

Marquis, a marketing and compliance vendor, detected suspicious activity on its network on August 14, according to disclosures the company made to multiple state attorneys general.

A subsequent investigation revealed that an unauthorized third party had accessed the company's systems that same day and "may have acquired certain files," according to a November 26 letter from Marquis' legal counsel to the Iowa attorney general.

While Marquis said in consumer notifications that it has "no evidence of the misuse, or attempted misuse, of personal information," one affected financial institution disclosed in a breach notification that the vendor had paid the attackers.

"Marquis paid a ransomware shortly after [August 14]," according to a November 7 email from Bobbi Terrell, chief compliance and business services officer at Community 1st Credit Union, to the Iowa Attorney General. CompariTech first reported on the email.

Victim organizations pay ransoms in cases of ransomware in an effort to stop the attacker from releasing stolen data. The FBI advises organizations not to pay ransoms, as they help fund the activities of the ransomers.

The Marquis incident has had a sprawling impact on the financial services sector. Data breach notifications filed in Washington, Maine and Iowa list at least 70 affected financial institutions, with the largest impacts in those states on Gesa Credit Union (152,000 affected individuals) and iQ Credit Union (111,000 affected).

In Washington state alone, 270,000 individuals were affected, according to the data breach directory maintained by the state's attorney general. A Maine filing indicates another 43,000 residents were impacted.

SOCRadar, a threat intelligence firm, estimates the total number of affected individuals is at least 400,000.

The compromised data includes names, Social Security numbers, dates of birth and financial account information, according to the November 26 disclosure from Marquis.

Marquis emphasized that the incident was "limited to Marquis' environment" and did not impact the internal systems of its client financial institutions, according to the disclosures.

The vulnerability: SonicWall and Akira ransomware

Marquis traced the breach to a previously disclosed vulnerability in SonicWall's software.

"The investigation revealed that an unauthorized third party accessed Marquis' network through its SonicWall firewall," according to the company's disclosures to state attorneys general.

This aligns with a broader campaign of attacks targeting SonicWall VPN devices. Security researchers have linked these attacks to the Akira ransomware group, noting that threat actors are exploiting an improper access control vulnerability in SonicOS.

That vulnerability had been disclosed in August 2024. Akira began exploiting the vulnerability roughly 11 months later.

"From late July through early August 2025, multiple security vendors have reported exploitation of SonicWall VPNs, leading to Akira ransomware deployment," according to an August 5 report from GuidePoint Security.

The vulnerability affects SonicWall Gen 5 and Gen 6 firewalls, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions, according to a SonicWall security advisory. The flaw allows unauthorized resource access and, in some conditions, can cause the firewall to crash.

The critical gap in patching

For bankers and IT security teams, the critical lesson from this incident is that applying a software patch is insufficient if credentials have already been compromised.

SonicWall warned that incidents this summer exploiting the vulnerability disclosed last year involved "migrations from sixth-generation to seventh-generation firewalls, where local user passwords were carried over during the migrations and were not reset after," according to a threat advisory by cybersecurity firm Huntress.

Threat actors have been observed successfully authenticating against accounts even with one-time password multifactor authentication enabled, suggesting they are using valid, stolen credentials. "In over half of the intrusions analyzed, we observed login attempts against accounts with the one-time password feature enabled," according to a report from cybersecurity firm Arctic Wolf.

Remediation and protection

SonicWall and security researchers urge financial institutions using these devices to go beyond simply applying the latest security patch.

"Organizations remain vulnerable if they have not fully implemented the mitigation advice by updating credentials after updating the firmware," according to a September 10 alert from the Australian Cyber Security Centre.

Remediation is a detailed and involved process, per SonicWall's guide on the matter. It involves applying the latest patch, resetting credentials, restricting users' access to certain applications, and removing unused or inactive firewall users. SonicWall has also launched a firewall configuration analysis tool to provide targeted guidance.

Marquis said it has implemented additional security technologies, including "deploying an endpoint detection and response tool," and is rebuilding its impacted infrastructure with new operating systems, according to a November 26 letter sent by CoVantage Credit Union to the New Hampshire attorney general.

SonicWall said following the summer wave of attacks by Akira that it had listed password resets as a "critical step" in its security advisory last year. Indeed, it is listed as the second "recommended" step, following applying the security patch, and followed by three other steps: enabling multi-factor authentication, VPN login event logging, and implementing account lockout mechanisms.

Marquis did not state in its disclosures to state attorneys general whether the company had reset passwords last year, when SonicWall disclosed the vulnerability and advised customers to do so. It did say part of its remediation efforts following the ransomware attack included password resets for VPN users.