When Your Security Provider Gets Hacked, So Do You

When you hire a security company to protect your business, the last thing you expect is for that company to become your biggest vulnerability. Yet that's exactly what happened to fintech firm Marquis, which is now seeking compensation from its firewall provider after claiming the vendor's own breach led to a ransomware attack that exposed hundreds of thousands of customers' personal and financial data.

The Domino Effect of Security Failures

In August 2025, Texas-based Marquis fell victim to a ransomware attack that compromised sensitive information belonging to consumer banking customers across the U.S., including personal details, financial data, and Social Security numbers. But according to a memo shared with customers this week, Marquis believes the attack wasn't due to their own security lapses—it was because their firewall provider SonicWall had been breached earlier.

The chain of events reads like a cybersecurity nightmare: hackers first infiltrated SonicWall's systems, gaining access to critical security information about the company's customers' firewalls. Armed with these credentials and configuration details, the attackers then used this inside knowledge to circumvent Marquis' defenses and launch their ransomware assault.

Marquis had stored a backup of its firewall configuration file in SonicWall's cloud service—a common practice that suddenly became a liability when SonicWall's own security was compromised.

From "Less Than 5%" to "All Customers"

SonicWall's handling of the disclosure has been particularly concerning. The company initially reported in September 2025 that fewer than 5% of customers were affected by the breach. However, by October, SonicWall was forced to admit that firewall configuration data and credentials associated with *all* customers using the cloud backup service had been accessed—a significant escalation that affects far more organizations than initially disclosed.

This pattern of minimizing breach impact before revealing the full scope is becoming disturbingly common in the cybersecurity industry, leaving customers unable to properly assess their risk or take appropriate defensive measures.

The Blame Game Begins

Marquis isn't taking this lying down. The company is "evaluating its options" regarding its firewall provider, including pursuing "recoupment of any expenses spent by Marquis and its customers in responding to the data incident." It's a bold move that could set precedent for how vendors are held accountable when their security failures cascade to customers.

SonicWall, for its part, is pushing back. Company spokesperson Bret Fitzgerald said SonicWall has asked Marquis for evidence to substantiate its claims and maintains there's "no new evidence to establish a connection between the SonicWall security incident and ongoing global ransomware attacks."

Marquis conducted a third-party investigation that ruled out other potential causes, including an unpatched vulnerability that existed at the time of the breach. The investigation concluded that the patch-related flaw wasn't exploitable in a way that could have allowed the data access.

The Vendor Liability Question

This case highlights a critical question facing businesses today: when you outsource security to a specialist provider, who's ultimately responsible when things go wrong? Marquis serves hundreds of banks and credit unions, giving it access to massive amounts of sensitive consumer data. The company trusted SonicWall to help protect this information, but that trust may have created an even bigger target.

The financial implications are staggering. Beyond the immediate costs of incident response, legal fees, and regulatory compliance, there are potential lawsuits from affected customers, regulatory fines, and long-term reputational damage. If Marquis succeeds in its compensation claim, it could establish important precedent for vendor liability in the cybersecurity space.

The number of individuals affected by the Marquis breach continues to rise as new notifications are filed with state attorneys general.