FinSecLedger
Breach Analysis8 min read

1st MidAmerica Credit Union Breach Hits 131K Members via Marquis

1st MidAmerica Credit Union disclosed a breach affecting 131,070 members after vendor Marquis Software Solutions was hacked. SSNs exposed.

By FinSecLedger
Records: 131,070
Vector: third party
Status: confirmed
Occurred: Aug 14, 2025Discovered: Aug 14, 2025Disclosed: Jan 30, 2026
Exposed:NamesSSN
Sources:Maine AG

131,070 Members Exposed After Vendor Marquis Software Solutions Was Hacked

1st MidAmerica Credit Union (MACU), an Illinois-based credit union headquartered in Bethalto, disclosed a data breach on January 30, 2026, affecting 131,070 individuals. The breach originated not within MACU's own systems but at Marquis Software Solutions, a third-party marketing and communications vendor. Member names and Social Security numbers were exposed.

The incident is the latest ripple effect from the Marquis Software Solutions ransomware attack that has already compromised data from over 80 financial institutions and 824,000 individuals. For MACU members, the notification arrived more than five months after the breach was discovered -- a timeline that will draw scrutiny from regulators and affected individuals alike.

What Happened: The Marquis Connection

On August 14, 2025, Marquis Software Solutions notified MACU that it had detected suspicious activity on its network. Marquis's investigation determined that an unauthorized third party had gained access to its computing environment and may have accessed and acquired files from its systems. The attack has been attributed to the Akira ransomware group, which exploited an unpatched SonicWall firewall to gain initial access to Marquis's network.

Marquis provides digital and physical marketing and communications services to banks and credit unions -- the kind of vendor that needs access to customer data to personalize mailings, account statements, and promotional materials. That data access turned into a liability when Akira breached Marquis's perimeter.

MACU did not receive a list of its affected member data until October 27, 2025 -- more than two months after the initial notification. The credit union then took until November 24, 2025, to confirm that the compromised dataset included its members' information. Notification letters to affected individuals were mailed on January 22, 2026, and the Maine Attorney General filing followed on January 30.

What Data Was Exposed in the 1st MidAmerica Breach

The compromised data includes member first and last names combined with Social Security numbers. This is a high-risk combination. SSNs are the most commonly used identifier for opening new credit accounts, filing tax returns, and applying for government benefits. Unlike a credit card number, an SSN cannot be easily replaced.

Members whose SSNs were exposed face elevated risk of identity theft, synthetic identity fraud, and tax refund fraud. The Akira group is known to exfiltrate data before encrypting systems, and stolen records frequently end up for sale on dark web marketplaces -- sometimes months or years after the initial theft.

MACU has not disclosed whether additional data types such as account numbers, dates of birth, or financial records were included in the compromised files. The notification letter references "first and last name in combination with your <<Breached Elements>>" -- a templated variable that suggests the vendor's notification system personalizes the data types per individual. The Maine AG filing lists only names and SSNs.

Five-Month Notification Delay Raises Questions

The timeline from discovery to disclosure deserves close attention:

  • August 14, 2025 -- Marquis detects the intrusion and notifies MACU
  • October 27, 2025 -- Marquis provides MACU with a list of affected data (74 days later)
  • November 24, 2025 -- MACU confirms Maine residents are included (28 more days)
  • January 22, 2026 -- Notification letters mailed to affected individuals (59 more days)
  • January 30, 2026 -- Maine AG notified (8 more days)

Total elapsed time from discovery to consumer notification: 161 days.

Maine's breach notification statute requires notification "as expediently as possible and without unreasonable delay." Most state laws use similar language, and regulators have increasingly questioned delays that stretch beyond 60-90 days. The 161-day gap here -- even if partially attributable to Marquis's own investigation timeline -- is well beyond what most state AGs consider reasonable.

For federally regulated credit unions, the NCUA has proposed rules that would require notification within 72 hours of determining a reportable cyber incident. While MACU's reporting obligation under current rules runs primarily through state law, the direction of travel is clear: regulators want faster notification.

Third-Party Risk: When Your Vendor's Breach Becomes Yours

This breach is a textbook case of third-party vendor risk. MACU's own systems were not compromised. Its internal security controls were not defeated. But its members' SSNs were exposed because a vendor in its supply chain failed to patch a known firewall vulnerability.

The pattern is now familiar in the financial sector. The Gravity Payments breach, also disclosed this month, followed the same playbook: a third-party CRM provider was compromised, and downstream financial services clients bore the reputational and regulatory consequences. According to FinSecLedger's breach tracker, third-party incidents account for a significant share of financial sector breaches tracked over the past 12 months.

The FFIEC's Cybersecurity Assessment Tool explicitly calls out third-party management as a baseline control. Examiners evaluate whether institutions have contractual requirements for vendor security standards, incident notification timelines, and the right to audit. The Marquis incident -- where the vendor took 74 days just to provide a list of affected records -- suggests the contractual framework may not have included sufficiently aggressive notification SLAs.

Who Is Affected

The breach affects 131,070 individuals across all states where MACU members reside. The Maine AG filing specifically notes 7 Maine residents were included -- the state's notification threshold requires reporting when even a single resident is affected.

MACU serves members primarily in the St. Louis metropolitan area and southern Illinois. As a credit union, its membership is not limited to a single employer or geography, meaning affected individuals could be spread across multiple states. Each state where affected members reside may have its own notification requirements, potentially triggering parallel AG inquiries.

Remediation and Member Protections

MACU is offering affected members 24 months of single-bureau credit monitoring through Epiq Privacy Solutions, along with fraud consultation and identity theft restoration services. The credit monitoring covers:

  • Single-bureau credit file monitoring with alerts for new inquiries, accounts, and public records
  • Dark web monitoring for email, phone, name, date of birth, and SSN
  • Three-bureau credit freeze assistance
  • Change of address monitoring through USPS/NCOA records
  • Identity restoration specialist support

The 24-month monitoring window is standard for breaches involving SSNs. Members should enroll promptly -- the enrollment deadline is specified in individual notification letters. Beyond the monitoring service, affected individuals should consider placing a credit freeze with all three bureaus, which is free under federal law and more protective than a fraud alert.

Regulatory and Legal Exposure

MACU faces regulatory and legal exposure on multiple fronts. As a federally insured credit union, it is subject to NCUA examination. Examiners will likely review MACU's vendor management program, including how it assessed Marquis's security posture, what contractual protections were in place, and whether the 161-day notification timeline was justified.

Under GLBA Section 501(b), financial institutions must ensure the security of customer information held by service providers. The FTC's Safeguards Rule -- which applies broadly to financial institutions -- requires oversight of service provider arrangements, including contractual requirements for appropriate safeguards.

State attorneys general may also investigate. The 131,070 affected individuals span multiple states, and multi-state AG investigations have become increasingly common for breaches of this scale. Class action plaintiffs' firms are likely already evaluating the case -- the combination of SSN exposure, a lengthy notification delay, and a clear third-party failure creates a straightforward negligence theory.

The Akira Ransomware Factor

The Marquis breach that exposed MACU's data was attributed to the Akira ransomware group. Akira has been one of the most active ransomware operations targeting U.S. organizations since emerging in early 2023. The FBI and CISA joint advisory on Akira documented the group's preference for exploiting VPN and firewall vulnerabilities for initial access -- exactly the method used against Marquis's SonicWall appliance.

Akira's double-extortion model means the stolen data was likely exfiltrated before encryption. This increases the risk that member records will appear on leak sites or be sold to other threat actors, even if Marquis paid a ransom. Financial institutions should treat any Akira-linked breach as a confirmed data exfiltration event and plan their response accordingly.

What Credit Unions and Community Banks Should Do Now

  1. Audit your Marquis relationship. If your institution uses Marquis Software Solutions for any service, confirm whether your customer data was included in the breach. Do not assume that only marketing data was affected -- Marquis may have held SSNs, account numbers, or other PII depending on the services contracted.

  2. Review vendor notification SLAs. The 74-day gap between Marquis detecting the breach and providing affected data lists to its clients is unacceptable. Contractual notification requirements should specify timelines measured in days, not months. As we discussed in our Marquis breach analysis, vendors need enforceable SLAs with penalties for delayed notification.

  3. Evaluate data minimization practices. Did your vendor need SSNs to perform its contracted services? Marketing vendors rarely need Social Security numbers. Financial institutions should apply the principle of least privilege to data sharing -- if a vendor does not need a data element to perform its function, it should not receive it.

  4. Prepare for examiner questions. NCUA and state examiners will use incidents like this to evaluate your vendor management program during the next examination cycle. Document your due diligence process, contractual requirements, incident response actions, and any remediation steps taken with Marquis.

  5. Monitor for downstream fraud. SSN exposure creates long-tail risk. Implement enhanced transaction monitoring, strengthen authentication for account changes, and consider proactive outreach to high-risk members (those with large account balances or existing fraud alerts).

Tags:breachcredit-unionthird-partyvendor-riskssnmainemarquis

Related Analysis

CoVantage Credit Union Breach Exposes 160K Members via Marquis Vendor Hack
9 min read
Anderson Bancshares Breach Exposes 3,272 Customers via Marquis Vendor Attack
9 min read
Artisans' Bank Breach Hits 32K Customers via Marquis Software Attack
8 min read
Ellafi Federal Credit Union Breach Exposes SSNs and Card Data for 17.6K
8 min read