FinSecLedger
Breach Analysis10 min read

Marquis Software CA Filing Reveals Broader Breach Timeline

California AG filing shows the Marquis Software Solutions breach affecting financial institutions began in August 2025, months before the larger Maine disclosure.

By FinSecLedger
Records: Unknown
Vector: third party
Status: confirmed
Occurred: Aug 14, 2025Discovered: Aug 14, 2025Disclosed: Aug 14, 2025
Exposed:NamesAddressesSSNDOBAccount #sFinancial Records
Sources:California AG

California AG Filing Places Marquis Software Breach Months Earlier Than Maine Disclosure

A breach filing with the California Attorney General reveals that Marquis Software Solutions identified suspicious activity on its network as early as August 14, 2025 -- five months before the company's far larger disclosure through the Maine AG in January 2026. The California filing, submitted on behalf of "business customer data owners," indicates that an unauthorized third party accessed Marquis's network and may have accessed or acquired files containing names, addresses, Social Security numbers, dates of birth, account numbers, and financial records belonging to customers of Marquis's financial institution clients.

Marquis Software Solutions provides marketing and communications software to banks, credit unions, and other financial institutions. The company is the same entity at the center of the Akira ransomware attack that compromised data for 824,000+ individuals across more than 80 financial institutions, disclosed through the Maine Attorney General on January 28, 2026. The California filing appears to represent the same underlying incident, filed separately and earlier under California's breach notification statute.

The disconnect between the August 2025 California disclosure and the January 2026 Maine disclosure -- and the dramatically different levels of detail in each -- raises questions about how the investigation unfolded, when Marquis understood the full scope of the compromise, and why the two filings paint such different pictures of the same event.

What the California Filing Shows

The California AG filing is sparse. It identifies the company as "Marquis Software Solutions (on behalf of business customer data owners)" and classifies the incident as unauthorized access by a third party. The notification letter references August 14, 2025, as the date suspicious activity was identified. The letter uses a templated data elements field -- "<<Breached Elements>>" -- indicating that the specific categories of exposed data vary by individual.

The number of affected California residents is not disclosed. The filing does not name a threat actor, malware family, or specific attack vector beyond "hacking." It does not reference ransomware, the Akira gang, or the SonicWall vulnerability that later reporting tied to the larger incident.

What the California filing does establish is a critical timeline anchor. By August 14, 2025, Marquis knew something was wrong. The company had identified suspicious activity, engaged investigators, and determined that files containing personal information may have been accessed. The investigation continued. On October 27, 2025, according to the notification letter, the forensic review determined that personally identifiable information was present in files that had been copied from Marquis's systems.

That October 27 determination -- that PII was in the copied files -- is the inflection point. Under most state breach notification laws, the clock starts running when the organization determines that a breach of personal information has occurred, not when suspicious activity is first detected. The California filing indicates Marquis moved to notification after that determination.

Connecting the California and Maine Filings

The relationship between these two filings is the most consequential aspect of this breach. Here is what we know from each.

California filing (August 14, 2025):

  • Suspicious activity identified August 14, 2025
  • Investigation determined PII in copied files October 27, 2025
  • Filed on behalf of business customer data owners
  • No record count disclosed
  • No threat actor named
  • Credit monitoring through Epiq Privacy Solutions ID

Maine filing (January 28, 2026):

  • 824,000+ individuals affected
  • Attack attributed to Akira ransomware gang
  • SonicWall vulnerability exploited
  • 80+ financial institutions impacted
  • SSNs, account numbers, names, DOBs, addresses exposed

The Maine filing is the more comprehensive disclosure. It names Akira, identifies the attack vector, and provides the full scope -- numbers that make this one of the largest third-party breaches affecting the financial sector in recent memory. The California filing, by contrast, reads like an early-stage notification issued before the full picture emerged.

This pattern is not uncommon. Companies often file initial notifications with limited information, then update or expand disclosures as forensic investigations progress. The California filing may reflect what Marquis knew in late 2025: that files were accessed, that PII was involved, but that the full extent -- 824,000 individuals, 80+ institutions, Akira ransomware -- had not yet been determined.

The alternative reading is less charitable. If Marquis understood the scope of the breach by October 2025, the five-month gap before the Maine disclosure in January 2026 becomes harder to justify. Financial institution clients that learned about the breach from the Maine AG filing in late January may not have known their customer data was compromised for months -- months during which affected consumers had no opportunity to place fraud alerts, freeze credit, or monitor for identity theft.

The Vendor Risk Problem -- Again

Marquis Software Solutions is a marketing and communications vendor for financial institutions. It handles customer data -- names, SSNs, account numbers, addresses -- to power direct mail campaigns, personalized marketing, and compliance communications on behalf of banks and credit unions. This means Marquis holds the same sensitive data that banks protect with SOC examinations, penetration testing, and multi-million-dollar security budgets. But Marquis is not subject to the same direct regulatory oversight as its bank clients.

This is the structural gap that vendor breaches exploit, whether intentionally or not. The Corban OneSource breach exposed 1,593 SSNs through a payroll vendor. The Continental Casualty (CNA) breach exposed 5,875 records through document processing vendor Conduent. The Inotiv breach exposed 9,542 records through a life sciences vendor. Each case follows the same logic: a vendor aggregates sensitive data from multiple clients, secures it to a standard below what those clients would maintain internally, and becomes a single point of failure.

Marquis is distinguished from these other vendor breaches by scale. At 824,000+ affected individuals, it dwarfs the other incidents. The concentration of financial institution clients -- over 80 banks and credit unions -- means this single vendor compromise touched a significant portion of the community banking sector.

FinSecLedger's breach tracker shows vendor-originated incidents accounting for a growing share of financial sector breaches. The Marquis case is the most consequential example, but it sits within a clear trend.

Regulatory Exposure

Financial institution vendors that handle consumer data fall under several overlapping regulatory frameworks, even if they are not directly supervised by banking regulators.

The OCC's third-party risk management guidance (Bulletin 2023-17) requires banks to perform due diligence on vendors, monitor their security practices, and ensure contractual protections including breach notification requirements. The FDIC and Federal Reserve have issued analogous guidance through the Interagency Guidance on Third-Party Relationships. These frameworks place the compliance burden on the financial institutions, not the vendor -- but the practical result is that banks and credit unions using Marquis will face examiner questions about their vendor oversight.

For Marquis itself, the California Attorney General has enforcement authority under the state's breach notification law (Cal. Civ. Code 1798.82). California requires notification "in the most expedient time possible and without unreasonable delay." The August 2025 filing date, roughly two months after the October determination, falls within a defensible window. But if California regulators determine that Marquis had reason to believe the breach was larger than initially disclosed -- and delayed broader notification -- the calculus changes.

At the state level, the National Association of Insurance Commissioners (NAIC) and the Conference of State Bank Supervisors (CSBS) have both flagged third-party vendor risk as a supervisory priority. A breach of this magnitude will generate multi-state regulatory attention.

The Akira connection adds a federal dimension. The FBI and CISA joint advisory on Akira ransomware noted the group has collected over $42 million in ransom payments as of early 2024, targeting organizations across North America, Europe, and Australia. Whether Marquis paid a ransom, and whether that payment influenced the notification timeline, remains undisclosed.

What This Means for Affected Financial Institutions

Banks and credit unions that use Marquis Software Solutions should treat both the California and Maine filings as part of a single incident. The California filing's earlier timeline means the compromise window extends back to at least August 2025 -- and potentially earlier, depending on how long the attacker had access before detection.

Key questions for affected institutions:

  1. When were you notified by Marquis? If your institution learned about the breach from public filings rather than directly from Marquis, that is a vendor management failure worth documenting for your board and examiners.

  2. What data did Marquis hold for your customers? Marketing vendors often receive full customer files -- names, addresses, account numbers, SSNs -- when a more limited dataset would suffice. Data minimization is the most effective breach damage control, and it happens before the breach occurs, not after.

  3. What are your contractual notification requirements? If your vendor agreement with Marquis specified 24- or 72-hour breach notification, and you were not notified within that window, you have a contractual claim in addition to whatever regulatory obligations apply.

  4. Have you notified your regulator? Banks and credit unions have their own obligation to report cybersecurity events that materially affect customer data. A vendor breach of this scale likely triggers that obligation, regardless of whether the breach occurred inside your own systems.

Remediation for Affected Individuals

The California filing indicates that Marquis is offering credit monitoring through Epiq Privacy Solutions ID. The service includes three-bureau monitoring, dark web surveillance, SSN monitoring, and identity theft insurance up to $1 million. Affected individuals should enroll immediately, regardless of which state filing brought the breach to their attention.

Given the data categories involved -- SSNs, dates of birth, account numbers, financial records -- affected individuals should also:

  • Place a credit freeze at Equifax, Experian, and TransUnion. This is free under federal law and prevents new accounts from being opened without your explicit authorization.
  • Request an IRS Identity Protection PIN to prevent tax refund fraud using your SSN.
  • Monitor bank and financial account statements for unauthorized transactions, particularly at the financial institution whose marketing vendor was Marquis.
  • File a complaint with the FTC at identitytheft.gov if you discover any misuse of your personal information.

The Broader Lesson

The Marquis Software Solutions breach -- whether viewed through the California filing, the Maine filing, or both -- is the clearest illustration of why third-party risk management cannot be treated as a compliance exercise. A single vendor with access to customer data from 80+ financial institutions was compromised, and the resulting breach affected nearly a million people.

The California filing adds a temporal dimension that the Maine filing alone did not provide. The breach was identified in August 2025. Consumers were not widely notified until January 2026. That gap represents months of unmonitored exposure for hundreds of thousands of individuals whose SSNs, account numbers, and financial records were in the hands of an attacker.

For financial institutions, the action item is straightforward but difficult to implement: treat your vendors' security as an extension of your own. Contractual requirements, regular assessments, data minimization, and incident notification SLAs measured in hours -- not months -- are the minimum standard. The Marquis breach demonstrates what happens when that standard is not met.

Tags:breachvendorhackingcaliforniafinancial-institutions

Related Analysis

Marquis Software Solutions (on behalf of business customer data owners) Data Breach Analysis
7 min read
Main Electric Supply Breach Exposes SSNs and Credit Card Data
11 min read
GMS Breach Exposes Credit Cards, SSNs, and Financial Records
11 min read
SSA Holdings Breach: Hackers Copied Files Containing Financial and Medical Data
7 min read