CoVantage Credit Union Breach Exposes 160K Members via Marquis Vendor Hack

160,000 Members Exposed After Marquis Software Solutions Ransomware Attack

CoVantage Credit Union, a Wisconsin-based credit union serving more than 100,000 members, filed a breach notification with the Maine Attorney General on November 26, 2025, disclosing that 160,000 individuals had their personal data compromised. The breach did not occur at CoVantage itself -- it originated at Marquis Software Solutions, a third-party marketing and communications vendor that held member data on CoVantage's behalf.

The compromised data includes names, Social Security numbers, dates of birth, and financial account numbers. This is among the larger credit union-related incidents tracked in FinSecLedger's breach database, and it adds CoVantage to a growing list of financial institutions caught in the fallout from the Marquis Software breach. The Marquis parent incident has now affected over 80 financial institutions and more than 824,000 individuals.

Timeline: From Intrusion to Notification

The breach notification letter, sent by Marquis on behalf of CoVantage, lays out the following sequence of events:

• August 14, 2025 -- Marquis identifies suspicious activity on its network and launches an investigation with external cybersecurity experts. Law enforcement is notified.
• August–October 2025 -- Investigation confirms an unauthorized third party accessed Marquis's network and may have accessed and acquired certain files.
• October 27, 2025 -- Marquis completes its review of the compromised files and determines that CoVantage member data was included.
• November 26, 2025 -- CoVantage's breach notification is filed with the Maine AG.

Total elapsed time from initial detection to consumer notification: 104 days.

That 104-day timeline is tighter than the 161 days it took 1st MidAmerica Credit Union to notify its 131,070 affected members about the same Marquis incident. But it still exceeds the 60-day window that many state regulators and the NCUA consider reasonable. The 74-day gap between Marquis detecting the intrusion and completing its data review -- a period during which CoVantage's members had no idea their SSNs might be circulating -- is the bottleneck. This is a vendor timeline problem, not a CoVantage delay, but regulators will hold the financial institution accountable regardless.

What Data Was Exposed in the CoVantage Breach

The breach compromised four categories of member data:

Names combined with Social Security numbers -- the single most dangerous combination for identity theft. SSNs are permanent identifiers that cannot be changed. Armed with a name-SSN pair, a threat actor can open new credit accounts, file fraudulent tax returns, apply for government benefits, and create synthetic identities that combine real and fabricated data.

Dates of birth -- when combined with SSNs, DOBs complete the identity verification trifecta used by most financial institutions for account opening and password resets. This combination substantially increases the risk of account takeover and new account fraud.

Financial account numbers -- the notification confirms exposure of account numbers held in Marquis's files. For credit union members, this raises the risk of unauthorized ACH transactions, wire fraud, and account manipulation. Members should monitor their CoVantage accounts closely and consider requesting new account numbers.

The notification letter uses the templated variable \<\<Breached Elements\>\>, suggesting that not every affected individual had all four data types exposed. Some members may have had only names and SSNs compromised, while others had the full set. CoVantage has not published a breakdown of the data types per individual.

How the Attack Happened: Akira Ransomware via SonicWall Exploit

The Marquis breach has been attributed to the Akira ransomware group, which exploited an unpatched vulnerability in Marquis's SonicWall firewall appliance to gain initial access. The FBI and CISA joint advisory on Akira documented the group's established playbook of targeting VPN concentrators and firewall appliances -- devices that sit at the network perimeter and provide remote access.

SonicWall vulnerabilities have been a repeated entry point for ransomware operators. CISA's Known Exploited Vulnerabilities catalog includes multiple SonicWall CVEs that have been weaponized by ransomware groups. The specific CVE exploited in the Marquis attack has not been publicly disclosed, but the pattern matches Akira's documented preference for targeting unpatched network appliances.

Once inside, the attackers followed the standard double-extortion model: exfiltrate data first, then encrypt systems. Marquis's notification states that files "may have been accessed and acquired," language that in practice means the data was stolen. For CoVantage members, this means their personal information likely left Marquis's network entirely and may end up on leak sites or be sold to other threat actors.

CoVantage's own systems were not compromised. The notification explicitly states that "your financial institution's internal systems were not impacted; the incident was limited to Marquis' environment." This is a critical distinction for regulatory purposes -- CoVantage's core banking platform, online banking, and internal networks were not breached. But the member impact is the same regardless of where the failure occurred.

Who Is Affected

The breach affects 160,000 individuals -- a significant number for a community credit union. CoVantage is headquartered in Antigo, Wisconsin, and operates 30 branches across central and northern Wisconsin, as well as Marquette County, Michigan. Its membership base consists primarily of individuals who live, work, or worship in the counties it serves.

The Maine AG filing indicates the breach affected residents across multiple states, though the majority of affected members are likely in Wisconsin and Michigan. Each state where affected members reside may have its own notification requirements and timelines, potentially triggering parallel reviews by multiple state AGs.

CoVantage is not the only credit union affected by the Marquis breach. 1st MidAmerica Credit Union disclosed 131,070 affected members in January 2026, and SAFE Credit Union filed its own notification in December 2025. The total count of affected credit union members across all Marquis-related filings continues to grow as more institutions complete their data reviews and file notifications.

Regulatory and Legal Implications

CoVantage faces regulatory scrutiny on several fronts. As a federally insured credit union, it falls under NCUA examination authority. Examiners will review CoVantage's vendor management program, asking pointed questions about how Marquis was vetted, what contractual security requirements were in place, and whether CoVantage conducted periodic assessments of Marquis's security posture.

GLBA Section 501(b) requires financial institutions to ensure the security and confidentiality of customer information, including data held by service providers. The FTC's Safeguards Rule mandates that financial institutions oversee their service providers by requiring appropriate security measures through contractual provisions. Whether CoVantage's contract with Marquis included specific patch management requirements, incident notification timelines, and the right to audit will be central to any regulatory review.

Wisconsin's data breach notification law (Wis. Stat. § 134.98) requires notification within a "reasonable time" -- language that gives regulators discretion to evaluate whether 104 days met that standard. Given that the delay was primarily driven by Marquis's investigation timeline, CoVantage may argue it acted promptly once it received the necessary information. But state AGs have shown decreasing patience with vendor-driven delays being used to justify extended notification timelines.

Class action exposure is substantial. The combination of SSN and account number exposure, a clear third-party failure, and 160,000 affected individuals creates a straightforward case for plaintiffs' attorneys. Marquis will likely be the primary litigation target, but CoVantage may face claims around its vendor selection and oversight practices.

The Marquis Breach: A Growing Third-Party Disaster

The CoVantage disclosure adds another 160,000 individuals to the Marquis breach tally. As we detailed in our Marquis Software breach analysis, this incident has become one of the most significant third-party breaches affecting U.S. financial institutions in recent memory. The total count now exceeds 824,000 individuals across more than 80 institutions.

Third-party vendor breaches are not new to financial services, but the scale and concentration of the Marquis incident is notable. A single vendor compromise cascaded into breach notifications from dozens of banks and credit unions, each with its own regulatory obligations, notification timelines, and member communications. The operational burden falls on each institution individually -- there is no mechanism for coordinated notification in third-party vendor scenarios.

According to the Verizon 2025 Data Breach Investigations Report, supply chain and third-party attacks have increased year-over-year, with financial services remaining a top target. The FS-ISAC has flagged third-party risk management as a top concern for its members, and the FFIEC's Cybersecurity Assessment Tool treats vendor management as a baseline control domain.

The common thread across these incidents: vendors that hold sensitive financial data but operate with less security maturity than the institutions they serve. Marquis -- a marketing vendor -- held SSNs and account numbers for hundreds of thousands of credit union members. Whether Marquis needed all of that data to perform its contracted services is a question every affected institution should be asking.

What Credit Unions Should Do Now

1. Check your Marquis exposure. If your institution has ever used Marquis Software Solutions, confirm whether your member data was included in the breach. Do not wait for Marquis to notify you -- the vendor's data review has been slow, and new affected institutions are still being identified months after the initial attack.

2. Tighten vendor data access. Marketing vendors rarely need SSNs or full account numbers. Apply data minimization principles to every vendor relationship. If a service can function with masked or tokenized data, require it. As noted in our 1st MidAmerica analysis, the data Marquis held was far more sensitive than what a marketing vendor typically requires.

3. Mandate notification SLAs in vendor contracts. The 74-day window between Marquis detecting the breach and providing affected data to its clients is unacceptable by any standard. Vendor contracts should specify notification timelines in hours or days -- not leave it to "reasonable" discretion.

4. Prepare for examiner questions. NCUA examiners will use the Marquis incident as a case study during upcoming examination cycles. Document your vendor due diligence process, contractual requirements, incident response actions, and any changes made to your vendor management program since learning of this breach.

5. Enhance member monitoring. For institutions with confirmed exposure, deploy enhanced transaction monitoring for affected accounts. Watch for unusual ACH originations, wire transfers, address changes, and new account openings. The Akira group's double-extortion model means the stolen data is almost certainly in the hands of threat actors.

6. Report to NCUA. Under NCUA's cyber incident notification requirements, federally insured credit unions must report significant incidents to their regional office. Ensure your reporting is current and complete.