FinSecLedger
Breach Analysis8 min read

Artisans' Bank Breach Hits 32K Customers via Marquis Software Attack

Artisans' Bank disclosed a breach affecting 32,344 customers after vendor Marquis Software Solutions was compromised. Names and SSNs exposed.

By FinSecLedger
Records: 32,344
Vector: third party
Status: confirmed
Occurred: Aug 14, 2025Discovered: Oct 28, 2025Disclosed: Dec 23, 2025
Exposed:NamesSSN
Sources:Maine AG

32,344 Customer Records Exposed in Yet Another Marquis Software Vendor Breach

Artisans' Bank, a Delaware-based community bank, filed a breach notification with the Maine Attorney General on December 23, 2025, disclosing that 32,344 customers had their names and Social Security numbers compromised. The breach did not originate at Artisans' Bank -- it is another casualty of the Marquis Software Solutions ransomware attack that has now swept through dozens of financial institutions.

Artisans' Bank is the latest in a growing list of banks and credit unions disclosing breaches tied to Marquis, a digital and physical marketing vendor that held customer data for financial institutions across the country. The Marquis parent incident has affected over 80 institutions and more than 824,000 individuals since the Akira ransomware group breached Marquis's network in August 2025.

Timeline: Four Months From Vendor Notification to Consumer Disclosure

The Artisans' Bank notification provides a clear timeline of how third-party vendor breaches cascade through the supply chain:

  • August 14, 2025 -- Unauthorized access to Marquis Software Solutions' network begins (at minimum). Marquis launches an investigation with cybersecurity experts.
  • October 28, 2025 -- Artisans' Bank learns from Marquis that customer information "may have been impacted." This is 75 days after the initial intrusion was detected.
  • Late November–December 2025 -- Artisans' reviews the data, identifies affected individuals, and prepares notification materials.
  • December 23, 2025 -- Notification letters sent and Maine AG filing submitted.

Total elapsed time from vendor's detection of the intrusion to consumer notification: 131 days.

The 75-day gap between Marquis detecting the intrusion and notifying Artisans' Bank mirrors what other affected institutions have reported. CoVantage Credit Union received its notification from Marquis on October 27, 2025 -- just one day before Artisans'. 1st MidAmerica Credit Union received its list on the same date but took until January 2026 to notify affected members.

Artisans' Bank moved faster than most Marquis victims once it received the data from the vendor. The 56-day window from vendor notification to consumer disclosure is tighter than the three-to-five month timelines seen at other institutions. Still, from the affected customer's perspective, 131 days is 131 days -- their SSN was exposed for more than four months before they knew about it.

What Data Was Exposed

The breach compromised customer names and Social Security numbers. Artisans' Bank's Maine AG filing explicitly limits the exposed data to these two categories -- a narrower scope than some other Marquis victims, where account numbers, dates of birth, and card data were also included.

Names combined with SSNs remain the highest-risk data combination for identity theft. SSNs cannot be changed or easily replaced. A threat actor with a name-SSN pair can:

  • Open new credit accounts (credit cards, auto loans, personal loans)
  • File fraudulent tax returns to claim refund payments
  • Create synthetic identities by combining real SSNs with fabricated biographical data
  • Apply for government benefits, unemployment insurance, or Medicare services
  • Pass identity verification checks at financial institutions that rely on SSN-based KYC

The 32,344 affected individuals now face these risks indefinitely. SSN exposure does not have an expiration date -- stolen SSNs have been used for fraud years after the initial breach.

The Marquis Pattern: Why One Vendor's Failure Hits Dozens of Banks

Artisans' Bank is a single-state community bank based in Wilmington, Delaware. It has no presence in Maine, but filed with the Maine AG because 7 Maine residents were among the 32,344 affected customers. The bank's notification explicitly reserves its rights regarding "the applicability of Maine law" and "personal jurisdiction" -- legal boilerplate that signals the bank's counsel is managing multi-state regulatory exposure.

The Marquis breach has created a cascade of state AG notifications from institutions that never anticipated filing in states where they have no physical presence. Each affected institution must individually determine which states' residents are in its compromised dataset, then file notifications under each state's specific requirements. For a community bank like Artisans', which serves a primarily Delaware customer base, this multi-state compliance burden is operationally painful.

Marquis Software Solutions provides "digital and physical marketing and communications" services to banks and credit unions. These services -- account statements, marketing mailers, promotional materials -- require access to customer data that includes names and SSNs. The Akira ransomware group exploited an unpatched SonicWall firewall to breach Marquis's perimeter, then exfiltrated data before encrypting systems.

The core problem: a marketing vendor held Social Security numbers for tens of thousands of bank customers. Whether Marquis needed SSNs to produce marketing materials is a question every affected institution should have asked before sharing the data. As we noted in our 1st MidAmerica breach analysis, data minimization failures at the vendor selection stage are what turned a single ransomware attack into an industry-wide incident.

Regulatory and Legal Implications

Artisans' Bank faces regulatory review from multiple angles:

State banking regulators. As a Delaware-chartered institution, Artisans' is subject to supervision by the Delaware Office of the State Bank Commissioner. Examiners will evaluate the bank's vendor management program, contractual requirements with Marquis, and whether appropriate due diligence was performed before sharing customer SSNs with the vendor.

Federal regulators. If Artisans' is FDIC-insured (as most state-chartered banks are), FDIC examiners will include the Marquis incident in their supervisory activities. The FDIC's interagency guidance on third-party relationships, jointly issued with the OCC and the Federal Reserve, requires banks to assess service providers' information security programs and maintain contractual provisions for security requirements, audit rights, and incident notification.

GLBA compliance. Under GLBA Section 501(b), banks must oversee their service providers and ensure appropriate safeguards for customer information. The FTC's Safeguards Rule requires written information security programs that extend to vendor relationships. The 75-day delay between Marquis detecting the breach and notifying Artisans' raises questions about the contractual notification requirements in place.

Multi-state AG exposure. The 32,344 affected customers span multiple states. Each state AG has independent authority to investigate and take action. Multi-state AG investigations have become increasingly common for breaches involving financial institutions, and the Marquis incident -- with its long notification delays and clear vendor security failures -- is a likely target.

Class action litigation is possible but may be complicated by the vendor's central role. Plaintiffs may target both Marquis and its client institutions, arguing that the bank failed to adequately vet its vendor or to limit the data shared. The reservation of rights language in Artisans' Maine AG filing suggests its legal team is already anticipating multi-forum litigation.

Third-Party Risk Management: The Recurring Failure

According to FinSecLedger's breach tracker, third-party vendor breaches account for a significant share of financial sector incidents tracked in the past year. The Marquis breach alone has generated separate notifications from institutions including CoVantage Credit Union (160,000 affected), 1st MidAmerica Credit Union (131,070 affected), and now Artisans' Bank (32,344 affected). More filings are expected as Marquis continues its data review.

The FFIEC's Cybersecurity Assessment Tool treats third-party management as a baseline control domain. The OCC, FDIC, and Federal Reserve's Third-Party Risk Management guidance requires banks to conduct due diligence on third parties, implement risk management processes throughout the lifecycle of the relationship, and maintain clear accountability for oversight.

The Marquis incident exposes a gap between these requirements and actual practice. A marketing vendor that held SSNs for hundreds of thousands of financial institution customers was running an unpatched firewall. Either the institutions that contracted with Marquis did not assess its security posture adequately, or they assessed it and accepted the risk. Neither answer reflects well on the industry's vendor management practices.

What Banks and Their Customers Should Do Now

  1. Artisans' Bank customers: Enroll in IDX credit monitoring. The bank is offering 12 months of free monitoring. The enrollment deadline is specified in your notification letter. Do not wait -- SSN exposure creates immediate risk.

  2. Place a credit freeze. Free under federal law with all three bureaus. A freeze prevents new accounts from being opened in your name. This is more protective than credit monitoring, which only alerts you after fraud has occurred.

  3. Banks using Marquis: Confirm your exposure. If your institution has contracted with Marquis Software Solutions for any service, verify whether your customer data was in the compromised files. Marquis's data review has been slow, and new affected institutions are still being identified six months after the initial attack.

  4. Audit vendor data access. For every vendor that holds customer data, ask two questions: Does this vendor need SSNs to perform its contracted service? If so, are there contractual requirements for encryption, access controls, and patch management? If the answer to either question is unsatisfactory, remediate now.

  5. Strengthen contractual notification requirements. The 75-day gap between Marquis detecting the breach and notifying its client banks is a contractual failure. Future vendor agreements should specify notification timelines in hours or days, with financial penalties for noncompliance.

  6. Document everything for examiners. Regulatory scrutiny of the Marquis incident will extend to every affected institution. Document your vendor selection process, due diligence activities, contractual requirements, incident response actions, and remediation steps.

Tags:breachbankthird-partyvendor-riskssnmainemarquisdelaware

Related Analysis

Anderson Bancshares Breach Exposes 3,272 Customers via Marquis Vendor Attack
9 min read
CoVantage Credit Union Breach Exposes 160K Members via Marquis Vendor Hack
9 min read
1st MidAmerica Credit Union Breach Hits 131K Members via Marquis
8 min read
First National Bank of Clarksdale Breach: Network Intrusion Exposes SSNs
11 min read