Fintech company Marquis is alerting dozens of U.S. banks and credit unions that customer data was stolen during a cyberattack earlier this year. The incident, which happened on August 14, was confirmed this week after the company filed data breach reports in several states.
Marquis, based in Texas, provides marketing and compliance tools that help financial institutions organize and analyze customer information. Because it works with more than 700 banks and credit unions, it holds large amounts of sensitive consumer data.
So far, at least 400,000 people have been confirmed affected, according to state filings reviewed by TechCrunch. Texas has reported the highest number, with at least 354,000 residents impacted. Many of the affected customers belong to Maine State Credit Union, making up about one in nine of the known cases in that state. Officials say the total number is likely to rise as more states file their own disclosures.
The stolen data includes names, dates of birth, mailing addresses, and financial details such as bank account numbers, debit card numbers, and credit card numbers. Hackers also accessed customers’ Social Security numbers, which puts victims at higher risk of identity theft.
Marquis says the attackers exploited a previously unknown flaw, a zero-day vulnerability in the company’s SonicWall firewall. At the time of the breach, the Akira ransomware group was reportedly targeting similar SonicWall weaknesses, though Marquis has not linked the attack to any specific group.
Marquis has not said whether it has received a ransom demand or how many people are ultimately affected.