A ransomware attack affecting data of 672,000 individuals has escalated into federal court, with Marquis Software Solutions now suing SonicWall for alleged negligence and gross negligence. The Plano, Texas-based fintech provider filed the lawsuit on February 23, 2026, in U.S. District Court for the Eastern District of Texas, seeking damages and a jury trial. The case exposes a critical vulnerability chain: SonicWall’s compromised cloud backup service handed attackers the keys to infiltrate Marquis’ firewall, which then exposed sensitive customer information from over 700 banks, credit unions, and mortgage lenders.
Key Takeaways
- SonicWall’s MySonicWall backup service exposed firewall credentials after an API vulnerability introduced in February 2025.
- Marquis ransomware attack on August 14, 2025 compromised names, Social Security numbers, and bank account details of 672,000 individuals.
- Marquis CEO Satin Mirchandani claims SonicWall failed to secure backups and withheld critical breach information.
- Mandiant investigation linked the SonicWall breach to state-sponsored hackers, raising nation-state involvement concerns.
- Marquis faces 36+ class action lawsuits, lost clients, and significant reputational harm as a result of the incident.
How SonicWall’s Vulnerability Enabled the Ransomware Attack Affecting Marquis
The ransomware attack affecting Marquis customers began not at Marquis itself, but at SonicWall’s cloud infrastructure. In February 2025, SonicWall introduced an API code change in its MySonicWall backup service that created a critical vulnerability. Attackers could access firewall configuration backups using predictable serial numbers without any authentication required. The exposed files contained AES-256 encrypted credentials, VPN configurations, firewall rules, unencrypted MFA scratch codes, and other sensitive setup data. SonicWall detected this breach in September 2025 but initially claimed it affected less than 5% of customers—a figure later revealed to be false after a Mandiant investigation confirmed all MySonicWall users were impacted.
Armed with stolen SonicWall credentials and configuration data, attackers pivoted to Marquis on August 14, 2025, bypassing the company’s security controls. Despite having an up-to-date SonicWall firewall, enabled multi-factor authentication, and additional security measures in place, Marquis could not defend against an attack using legitimate stolen credentials from the vendor itself. The breach remained undetected until Marquis reviewed exposed files on December 10, 2025, and began notifying affected individuals in December 2025—four months after the initial compromise.
What Data Was Stolen in the Ransomware Attack Affecting 672,000 Victims
The scope of the ransomware attack affecting individuals is staggering. The stolen dataset includes names, dates of birth, postal addresses, Social Security numbers, bank account numbers, debit and credit card numbers, phone numbers, Taxpayer Identification Numbers, and financial information. These records belong to customers of over 700 financial institutions—banks, credit unions, and mortgage lenders—making this one of the most damaging supply-chain compromises in fintech history. A single vendor vulnerability cascaded across an entire ecosystem of financial services providers, exposing millions of individuals to identity theft and fraud.
Marquis’ Legal Case Against SonicWall: Allegations and Damages
Marquis’ lawsuit against SonicWall alleges negligence, gross negligence, unjust enrichment, misrepresentation, contribution, and indemnity. The company claims SonicWall failed to secure its backup service adequately and withheld critical information about the MFA bypass capabilities after the breach was discovered. According to Marquis’ complaint, the company has suffered significant damages: loss of customers, harm to business reputation, lost business opportunities and revenue, diminished enterprise value, remediation costs, credit monitoring expenses, and at least 36 class action lawsuits filed by affected individuals. Additionally, Marquis lost sponsorships from a trade group and faces a separate trade secrets lawsuit, compounding the operational and financial fallout.
Marquis CEO Satin Mirchandani stated: “SonicWall allegedly failed to secure its backup service, which caused the company to suffer significant reputational, operational, and financial harm.” The complaint further alleges that Marquis, despite maintaining robust security practices at the time of the attack, could not overcome a vendor-level compromise that was not its responsibility to prevent or detect.
SonicWall’s Broader Security Issues and State-Sponsored Links
The SonicWall incident is not isolated. The company also faces CVE-2024-53704, an SSL VPN vulnerability that allows attackers to leak swap cookie and session ID information, enabling session hijacking and unauthorized access without credentials. These compounding vulnerabilities suggest systemic security gaps at a vendor trusted by thousands of enterprises. Most alarmingly, Mandiant’s investigation linked the SonicWall breach to state-sponsored hackers, raising questions about whether this was an opportunistic supply-chain attack or a targeted intelligence operation. If state-sponsored actors gained access to firewall configurations and credentials from thousands of organizations, the national security implications extend far beyond Marquis.
Why Vendor Security Failures Hit Harder Than Direct Breaches
This case illustrates a painful reality in modern cybersecurity: you are only as secure as your least-secure vendor. Marquis did everything right—up-to-date patches, MFA enabled, additional controls deployed. None of it mattered because the attack originated from a vendor’s cloud service, not from Marquis’ own infrastructure. Financial services firms, healthcare providers, and government agencies all rely on third-party vendors for critical functions like firewall management and backup. When those vendors fail, the blast radius encompasses thousands of downstream organizations and millions of individuals. Traditional cyber insurance and incident response playbooks assume a direct compromise; they do not account for the asymmetric risk of vendor-level vulnerabilities affecting entire industries simultaneously.
What Happens Next: Litigation and Industry Fallout
The lawsuit filed February 23, 2026 will likely become a test case for vendor liability in cybersecurity. If Marquis prevails, it could establish precedent holding vendors financially responsible for security failures in cloud backup and configuration management services—a shift that would reshape vendor contracts across the industry. SonicWall faces not only this lawsuit but also reputational damage among enterprise customers who now question whether the company can be trusted with sensitive firewall data. The 36+ class action lawsuits against Marquis, though not the company’s direct responsibility, will drain resources and distract from business recovery.
For the 672,000 individuals whose data was stolen, the real-world consequences are ongoing. Identity theft, fraudulent credit applications, and unauthorized financial transactions will likely persist for years. Credit monitoring services, while helpful, are a band-aid on a much larger wound. The ransomware attack affecting this population represents a catastrophic failure across multiple layers of the financial services supply chain—from SonicWall’s cloud infrastructure to Marquis’ incident response to the broader regulatory environment that has struggled to enforce accountability for vendor security failures.
Could Marquis have prevented this ransomware attack affecting its customers?
No. Marquis had current security controls, MFA enabled, and a properly maintained firewall at the time of the attack. The compromise originated from SonicWall’s cloud backup service, which Marquis could not monitor or control directly. The attack demonstrates that no amount of internal security hardening can defend against a vendor-level breach of this magnitude.
What should other companies learn from this ransomware attack affecting the fintech sector?
Organizations must audit their vendors’ security practices, demand transparency about cloud backup encryption and access controls, and establish contractual liability clauses that hold vendors accountable for breaches. Additionally, companies should assume vendors will be compromised and design security architectures that do not rely entirely on vendor-provided configurations—such as storing critical credentials in separate, air-gapped systems.
Is SonicWall still safe to use after this ransomware attack affecting 672,000 people?
SonicWall has patched the MySonicWall vulnerability and the SSL VPN flaw, but the company’s credibility has been severely damaged. Organizations should conduct a full security audit of any SonicWall deployments, verify that backups are not stored in MySonicWall, and consider whether a vendor that exposed all its customers’ firewall configurations can be trusted going forward.
The Marquis lawsuit against SonicWall marks a watershed moment in vendor accountability. For years, vendors have faced minimal legal consequences for security failures, with the burden falling on downstream companies and individuals. If this case succeeds, it could finally establish that vendors—not their customers—bear responsibility for the security of critical infrastructure they control. Until then, the 672,000 people affected by this ransomware attack remain collateral damage in a supply-chain security crisis that the industry has long ignored.
Edited by the All Things Geek team.
Source: TechRadar
