Anderson Bancshares Breach Exposes 3,272 Customers via Marquis Vendor Attack

Anderson Brothers Bank Joins Growing List of Marquis Vendor Breach Victims

Anderson Bancshares, Inc., d/b/a Anderson Brothers Bank, filed a breach notification with the Maine Attorney General on December 5, 2025, disclosing that 3,272 individuals had personal information compromised through a third-party vendor attack. The breach originated not at Anderson Brothers Bank itself but at Marquis Software Solutions, the digital marketing vendor whose ransomware compromise has now cascaded across the community banking sector.

The exposed data includes names, dates of birth, Social Security numbers, and financial account information -- a combination that creates severe identity theft and account fraud risk for affected customers. Anderson Brothers Bank, headquartered in Mullins, South Carolina, is one of the smaller institutions caught in the Marquis blast radius, but the data exposure per customer is among the most comprehensive we've seen from this incident.

Timeline: 113 Days From Intrusion to Customer Notification

The notification letter and Maine AG filing detail a familiar sequence for institutions affected by the Marquis breach:

• August 14, 2025 -- Unauthorized access to Marquis Software Solutions' network begins. This date appears consistently across Marquis-related filings as the earliest confirmed intrusion point.
• October 28, 2025 -- Anderson Brothers Bank learns from Marquis that customer data "may have been impacted." This is 75 days after the start of the intrusion -- the same notification timeline reported by Artisans' Bank and other Marquis clients.
• December 5, 2025 -- Anderson Brothers Bank sends notification letters to affected individuals and files with the Maine AG.

Total elapsed time from intrusion to consumer notification: 113 days. The bank took 38 days from vendor notification to customer disclosure -- faster than many peers in the Marquis incident, where some institutions have taken three to five months after learning of the compromise.

The 75-day vendor-to-client notification gap is the bottleneck. Anderson Brothers Bank could not notify customers it didn't know were affected. Marquis controlled the timeline, and the bank was waiting on data analysis results from the vendor's investigation.

What Data Was Exposed in the Anderson Brothers Bank Breach

The compromised information falls into four categories, all high-risk:

Social Security numbers. SSNs are the single most dangerous data element in a breach. They cannot be changed, serve as a primary identifier across the financial system, and are the foundation of identity theft. An attacker with a valid SSN can open credit accounts, file fraudulent tax returns, and defeat knowledge-based authentication at banks that use SSN-based verification.

Financial account information. The notification references "financial account information" without specifying whether this includes account numbers, routing numbers, or both. Either way, this creates direct risk of unauthorized transactions, ACH fraud, and account takeover. Affected customers should monitor their accounts closely and consider requesting new account numbers from Anderson Brothers Bank.

Dates of birth. DOB combined with SSN and name creates a near-complete identity profile. This combination is sufficient to pass KYC checks at most financial institutions and can be used to construct synthetic identities -- a fraud type that has grown 85% year-over-year according to FiVerity research.

Full names. The linking element that ties the other data types to a specific individual and enables targeted phishing and social engineering.

The breadth of data exposed here is notable. Compare this to Artisans' Bank's Marquis filing, which was limited to names and SSNs. Anderson Brothers Bank customers had significantly more data categories compromised, suggesting the bank shared a broader dataset with Marquis for its contracted services.

How the Attack Happened: The Marquis Software Solutions Compromise

Anderson Brothers Bank's notification confirms this was not a direct attack on bank systems. The breach originated entirely at Marquis Software Solutions, a vendor that provides digital and physical marketing services to banks and credit unions.

The Akira ransomware group breached Marquis by exploiting an unpatched SonicWall firewall appliance. Once inside the network, the attackers exfiltrated customer data from multiple financial institutions before deploying encryption. This is standard Akira playbook: steal first, encrypt second, then pressure victims with double extortion.

Marquis held sensitive customer data -- SSNs, account numbers, DOBs -- for the purpose of producing marketing materials, account statements, and compliance communications. The question every affected bank should be asking: did a marketing vendor need Social Security numbers and full account details to print mailers?

The core vendor management failure is not unique to Anderson Brothers Bank. It's the same pattern across the entire Marquis incident. A single vendor with access to customer data from dozens of financial institutions was running infrastructure with known vulnerabilities. The CISA Known Exploited Vulnerabilities catalog has listed multiple SonicWall CVEs, and the specific vulnerability exploited by Akira had patches available before the intrusion.

Who Is Affected

The breach affects 3,272 individuals. Anderson Brothers Bank filed with the Maine AG on behalf of one Maine resident, with the remaining affected customers spread across South Carolina and neighboring states where the bank operates.

Anderson Brothers Bank is a community institution serving the Pee Dee region of South Carolina with branches in Mullins, Marion, Florence, and surrounding areas. The 3,272 figure likely represents a significant portion of the bank's customer base for whichever services Marquis supported. Community banks with 3,000-5,000 affected customers may not make national headlines, but for a bank of this size, the per-customer impact is proportionally large.

The notification letter offers 12 months of credit monitoring through Epiq's PrivacySolutions platform. Given that SSNs and account numbers were exposed, affected customers should treat the 12-month monitoring period as a starting point, not a complete remedy.

Regulatory and Legal Exposure

Anderson Brothers Bank faces oversight from multiple regulators:

State banking regulators. As a South Carolina-chartered bank, Anderson Brothers Bank is supervised by the South Carolina Board of Financial Institutions. Examiners will review the bank's vendor management program, specifically whether contractual requirements with Marquis included security standards, audit rights, and incident notification SLAs.

Federal regulators. Anderson Brothers Bank is FDIC-insured. The FDIC, along with the OCC and Federal Reserve, issued updated Third-Party Risk Management guidance in 2023 requiring banks to conduct thorough due diligence on service providers. Examiners will assess whether the bank's vendor oversight was commensurate with the risk of sharing SSNs and account numbers with a marketing vendor.

GLBA requirements. Under GLBA Section 501(b), financial institutions must ensure their service providers maintain appropriate safeguards. The FTC's Safeguards Rule requires written information security programs that extend to third-party relationships. The 75-day gap between Marquis detecting the breach and notifying Anderson raises questions about contractual notification terms.

Multi-state filing obligations. Anderson Brothers Bank's Maine AG filing includes a reservation of rights regarding "the applicability of Maine law" and "personal jurisdiction" -- the same boilerplate seen in other Marquis-related filings. The bank must file in every state where affected residents live, creating compliance burden for an institution that likely operates primarily in South Carolina.

Class action risk exists but is moderated by the relatively small number of affected individuals. Plaintiffs' attorneys are more likely to fold Anderson Brothers Bank customers into broader Marquis-related litigation than to pursue a standalone case against the bank.

The Marquis Cascade: A Vendor Risk Case Study in Real Time

According to FinSecLedger's breach tracker, the Marquis Software Solutions compromise has generated separate breach notifications from institutions including CoVantage Credit Union (160,000 affected), 1st MidAmerica Credit Union (131,070 affected), Artisans' Bank (32,344 affected), and now Anderson Brothers Bank (3,272 affected). The cumulative total across all known Marquis victims exceeds 824,000 individuals.

The incident is a textbook illustration of concentrated vendor risk in financial services. Community banks and credit unions outsource marketing, statement production, and compliance communications to a handful of specialized vendors. When one of those vendors is compromised, the impact multiplies across every institution in the vendor's portfolio.

The Verizon 2024 Data Breach Investigations Report found that supply chain and partner-related breaches increased 68% year-over-year. The financial services sector is particularly exposed because regulatory requirements drive institutions toward specialized vendors, concentrating sensitive data in a small number of third parties.

The FFIEC's Cybersecurity Assessment Tool identifies third-party management as a core component of cybersecurity maturity. The Marquis breach demonstrates what happens when that maturity assessment is treated as a compliance exercise rather than an operational reality. A vendor that held SSNs, account numbers, and DOBs for hundreds of thousands of bank customers was running an unpatched perimeter device. No amount of paperwork fixes that.

Action Items for Financial Institutions

1. Anderson Brothers Bank customers: Freeze your credit immediately. Credit monitoring is reactive -- it tells you after fraud occurs. A credit freeze with Equifax, Experian, and TransUnion is preventive and free under federal law. Given that SSNs and account numbers were both exposed, a freeze is essential.

2. Request new account numbers. Contact Anderson Brothers Bank to discuss whether your account numbers should be changed. The bank's notification does not mention this step, but compromised account information creates direct fraud risk.

3. Banks using Marquis: Complete your data assessment. If your institution has not yet received confirmation from Marquis about whether your customer data was in the compromised dataset, escalate. Marquis's data review has been slow -- it's now six months since the initial intrusion and new victim institutions are still being identified.

4. Review all marketing vendor contracts. Audit what data your institution shares with marketing and communications vendors. Ask whether SSNs are necessary for the contracted service. If they are not, stop sharing them. If they are, ensure contractual requirements include encryption standards, access controls, patch management SLAs, and incident notification within 24-48 hours.

5. Prepare for examination questions. Federal and state examiners will ask about your institution's vendor management practices. Document your due diligence process, contractual terms, ongoing monitoring activities, and incident response. The Marquis breach will be cited in supervisory guidance for years.