Third-Party Vendor Breach at Marquis Software Solutions Exposes Financial Institution Customer Data

A cybersecurity incident at Marquis Software Solutions, a digital and physical marketing communications vendor serving financial institutions, has potentially compromised personal and financial information belonging to customers of multiple banks and credit unions. The breach, discovered in August 2025, highlights the persistent vulnerabilities in the financial sector's extended supply chain.

What Happened

On August 14, 2025, Marquis Software Solutions detected suspicious activity on its network that was later confirmed to be the result of a cyberattack. The Georgia-based company, which provides marketing and communications services to financial institutions, immediately launched an investigation with the assistance of external cybersecurity experts and notified law enforcement.

The investigation revealed that an unauthorized third party successfully accessed Marquis's network and may have exfiltrated certain files from the company's systems. Critically, Marquis emphasized that the breach was contained within its own environment—the internal systems of the financial institutions it serves were not directly compromised.

Timeline of Events

• August 14, 2025: Suspicious network activity detected; incident confirmed as a cyberattack
• August 14, 2025 onward: Investigation launched with cybersecurity experts; law enforcement notified
• October 27, 2025: File review completed; determination made regarding which personal information was involved
• Late 2025/Early 2026: Notification letters sent to affected individuals

The 74-day gap between incident discovery and the completion of the data review underscores the complexity involved in analyzing potentially compromised files—a timeline that, while significant, is not unusual for incidents of this nature.

Data Exposure Assessment

The notification letter indicates that the specific data elements exposed vary by individual, with a placeholder for "Breached Elements" suggesting that affected parties received customized notifications detailing their particular exposure. Based on Marquis's role as a marketing and communications vendor, the compromised data likely includes:

• Full names and mailing addresses
• Account-related information used for marketing communications
• Potentially sensitive financial identifiers depending on the nature of the communications Marquis handled

The company states it has found no evidence of misuse or attempted misuse of the compromised information, though this assessment comes with the standard caveat that such misuse may not be immediately detectable.

The Third-Party Risk Problem

This incident exemplifies the challenge that financial institutions face in managing vendor risk. Financial services companies routinely share customer data with dozens or even hundreds of third-party vendors to support everything from statement printing to marketing campaigns. Each of these relationships creates potential exposure that exists outside the direct control of the financial institution.

Marquis Software Solutions operates in a particularly data-rich niche. Marketing vendors typically need access to customer names, addresses, account types, and sometimes transaction patterns to create targeted communications. This makes them attractive targets for threat actors seeking financial sector data without having to breach a bank directly.

The attack vector—categorized as a third-party compromise—suggests the attackers may have exploited a vulnerability in Marquis's systems, though the company has not disclosed specific technical details about how the unauthorized access occurred.

Impact on Financial Institutions and Their Customers

While Marquis has not disclosed the total number of affected individuals or the specific financial institutions impacted, the company's business model suggests the breach could affect customers across multiple banks, credit unions, and other financial services firms. This distributed impact creates several challenges:

For consumers: Individuals may receive notifications about breaches at companies they've never heard of, creating confusion about how their data came to be at risk. The connection between their financial institution and a marketing vendor may not be immediately apparent.

For financial institutions: Banks and credit unions must now manage reputational risk and customer communications for an incident they didn't directly cause and couldn't directly prevent. They may also face regulatory scrutiny regarding their vendor management practices.

For the broader ecosystem: Each third-party breach reinforces the need for the financial sector to rethink how customer data flows through the supply chain.

Regulatory Implications

Financial regulators have increasingly focused on third-party risk management in recent years. The Office of the Comptroller of the Currency (OCC), Federal Reserve, and FDIC jointly issued updated guidance on third-party relationships in 2023, emphasizing that banks cannot outsource their compliance obligations even when they outsource operations.

The Marquis breach may draw regulatory attention to several areas:

Vendor due diligence: Did the affected financial institutions adequately assess Marquis's security posture before sharing customer data? Were ongoing assessments conducted?

Data minimization: Did Marquis have access to more customer data than necessary for its marketing functions? Could the scope of the breach have been limited through better data governance?

Contractual protections: What security requirements were specified in contracts between financial institutions and Marquis? What notification timelines were mandated?

State attorneys general may also take interest, particularly given that breach notification letters are being filed across multiple states. The Maine AG filing that surfaced this breach is likely one of many.

Response and Remediation

Marquis is offering affected individuals complimentary credit monitoring through Epiq Privacy Solutions, with enrollment periods and coverage durations that vary by individual. The service includes single-bureau credit monitoring, dark web monitoring, credit freeze assistance, change of address monitoring, and identity restoration services.

The company has also established a dedicated response line for affected individuals and states that it has implemented additional security measures to prevent similar incidents in the future, though specific remediation steps have not been disclosed.

Lessons for the Industry

1. Vendor inventory matters: Financial institutions need comprehensive visibility into which vendors have access to customer data and what specific data elements they can access. Many organizations discover gaps in this visibility only after an incident occurs.

2. Fourth-party risk is real: Beyond direct vendors, financial institutions should understand who their vendors' vendors are. A marketing company might use subcontractors for printing, data processing, or analytics, further extending the data supply chain.

3. Assume breach notifications will multiply: When a vendor serving multiple financial institutions is compromised, the resulting customer communications can create significant operational burden. Institutions should have playbooks ready for responding to vendor breaches.

4. Data minimization limits blast radius: The less customer data shared with vendors, the less damage when those vendors are compromised. Financial institutions should critically evaluate whether marketing vendors truly need access to sensitive identifiers or whether campaigns can be executed with less granular data.

5. Contracts need teeth: Security requirements in vendor contracts should be specific, auditable, and enforceable. Vague language about "reasonable security measures" provides limited protection when incidents occur.

Looking Ahead

The Marquis Software Solutions breach is unlikely to be the last third-party incident affecting the financial sector. As banks and credit unions continue to rely on external vendors for an expanding array of services, the attack surface continues to grow.

Regulators are watching. The 2023 interagency guidance on third-party relationships signaled that expectations are rising. Financial institutions that can demonstrate robust vendor management programs—including ongoing monitoring, appropriate data controls, and effective incident response coordination—will be better positioned both to prevent incidents and to respond effectively when they occur.

For consumers, the notification letters arriving in mailboxes serve as a reminder that their financial data travels farther than they might expect. The relationship between a customer and their bank extends through a complex web of service providers, each representing both operational capability and potential risk.