Marquis Sues SonicWall Over Ransomware Breach Impacting 74 Banks

Incident Overview and Legal Context

Marquis Software Solutions, a prominent financial technology firm providing data analytics and marketing services, has filed a lawsuit against cybersecurity vendor SonicWall. The litigation follows a significant ransomware attack in early 2024 that resulted in operational disruptions for 74 U.S.-based banks and credit unions. According to BleepingComputer, Marquis alleges that the breach was facilitated by SonicWall’s failure to secure its “Hosted Back Up” service, which Marquis utilized to protect its internal systems and client data.

The lawsuit, filed in the U.S. District Court for the Northern District of Texas, accuses SonicWall of gross negligence, breach of contract, and misrepresentation. Marquis claims that SonicWall advertised industry-standard security protections and SOC 2 compliance while failing to implement basic security controls, such as encryption at rest and robust access management, for its cloud-based storage infrastructure.

Technical Analysis of the Attack Vector

The core of the complaint focuses on the security posture of SonicWall’s hosted backup environment. Marquis asserts that threat actors gained unauthorized access to their data backups stored on SonicWall’s infrastructure. Once the attackers compromised the backup environment, they were able to exfiltrate sensitive data and subsequently deploy ransomware across Marquis’s primary network. This sequence effectively neutralized Marquis’s disaster recovery capabilities, as the very backups intended to provide resilience were the initial point of compromise.

Several technical failures are highlighted in the allegations:

Lack of Data Encryption

Marquis alleges that despite assurances of high-level security, the data stored within the SonicWall Hosted Back Up service was not encrypted at rest. This failure allowed the attackers to read and exfiltrate sensitive personally identifiable information (PII) belonging to both Marquis and its banking clients immediately upon gaining access to the storage system.

Inadequate Access Controls

The lawsuit suggests that SonicWall maintained an “unsecured cloud-based storage system” that lacked sufficient authentication mechanisms. The absence of mandatory multi-factor authentication (MFA) or granular identity and access management (IAM) policies reportedly allowed the threat actors to move laterally from the backup environment into Marquis’s production systems.

Supply Chain Implications

This incident serves as a stark example of downstream supply chain risk. Marquis acts as a centralized hub for dozens of financial institutions. By compromising a single service provider—SonicWall—attackers were able to cascade the impact to Marquis, and subsequently to 74 individual banks and credit unions. This ‘hub-and-spoke’ vulnerability is a primary target for ransomware groups seeking maximum leverage for extortion.

Impact on the Financial Sector

The breach had immediate and severe consequences for the affected financial institutions. Because Marquis handles sensitive marketing and compliance data, the compromise triggered mandatory disclosure requirements under various financial regulations. Many of the 74 affected banks reported outages or service degradations as Marquis took its systems offline to contain the threat and begin the recovery process. The lawsuit claims that the reputation of Marquis has been permanently damaged, and the financial cost of remediation, legal fees, and client lost-revenue credits continues to mount.

Actionable Recommendations for Defenders

Organizations relying on third-party cloud backup providers should review their current security architectures to mitigate similar risks:

• Verify Encryption at Rest: Do not assume that “hosted” or “cloud” services automatically include encryption. Demand cryptographic proof or documentation that data is encrypted at rest using industry-standard algorithms (e.g., AES-256) with customer-managed keys (CMK) where possible.
• Implement Backup Isolation (Air-Gapping): Ensure that backup environments are logically or physically isolated from the primary production network. Use the 3-2-1-1 backup rule: three copies of data, on two different media, one offsite, and one immutable or air-gapped.
• Audit Third-Party SOC Reports: When vendors claim SOC 2 or ISO 27001 compliance, security teams should review the full audit report rather than relying on a marketing summary. Pay close attention to the ‘Complementary User Entity Controls’ (CUECs), which define the security responsibilities the customer must implement.
• Enforce MFA on All Administrative Interfaces: Any cloud-based management console or backup repository must be protected by phishing-resistant MFA to prevent credential-stuffing or session-hijacking attacks from leading to full-scale data exfiltration.