Bank software vendor Marquis says more than 670,000 impacted by August breach

The cyberattack on bank vendor Marquis Software exposed the information of 672,075 people, according to regulatory filings. 

The company, which provides software that allows financial institutions to communicate with customers, previously warned in November that at least 74 banks, credit unions and financial institutions were impacted by a data breach that occurred in August. At the time, the company did not say how many people were affected.

In letters to victims, the company said it discovered the breach on August 14 and notified law enforcement before hiring cybersecurity experts to assist with the recovery. The investigation revealed that the hackers copied files from Marquis Software’s systems.

The information leaked includes names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, dates of birth and financial account information.

The company previously filed notices with regulators in Maine, South Carolina, Washington, Iowa and other states but did not reveal the full number of people impacted. Marquis Software also provided breach notifications on behalf of several financial institutions.

A source working at an affected company, who spoke on condition of anonymity, said Marquis Software provides customer relationship tools where bank employees can keep track of what kind of accounts a person has so they can market other financial products to them. 

Banks typically enter Social Security numbers, account numbers, home addresses, account balances and more into the Marquis Software platform. They also track which bank employees have spoken to a customer, what they discussed and when potential follow-ups will take place. 

The source noted that while the bank they work for was impacted by the Marquis Software breach and sent out its own breach notifications, it was not included in the list of 74 affected financial institutions released last year. 

By compiling victim counts from multiple state breach registries, several law firms and cybersecurity researchers estimated that the number of victims is likely between 788,000 and 1.35 million.

Multiple banks have stressed in their own statements that the hackers behind the attack never breached their own systems and only stole information “maintained by Marquis Software.”

Cybersecurity firm Comparitech also obtained a since-deleted breach notification letter from Iowa-based Community 1st Credit Union that claimed Marquis Software paid a ransom to the group behind the attack. 

The company did not respond to requests for comment about payment or financial institutions that may have been affected but were not among the 74 listed. No ransomware gang ever took credit publicly for the attack.