Marquis sues SonicWall over backup breach that led to ransomware attack

Marquis sues SonicWall over backup breach that led to ransomware attack

Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks.

On August 14, 2025, hackers breached Marquis's network in a ransomware attack after compromising a SonicWall firewall. The attacker stole files containing personal information received from business partners. The details included names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and financial account information.

Marquis provides data analytics, CRM tools, compliance reporting, and digital marketing services, with a clientele that includes more than 700 banks, credit unions, and mortgage lenders.

In January 2026, Marquis officially accused SonicWall of security failures after determining that the hackers had not exploited an unpatched flaw in its firewall, as previously assumed. Instead, it was discovered that the attacker leveraged configuration data extracted from the vendor's cloud backup infrastructure.

The cause of the breach was a security gap that SonicWall introduced in its MySonicWall cloud backup service via an API code change in February 2025. The vulnerability allowed unauthorized access to firewall configuration backup files stored in SonicWall's cloud, which contain AES-256 encrypted credentials, configuration data, and MFA scratch codes.

The cybersecurity vendor disclosed the incident only three weeks later and initially estimated it impacted 5% of its customer base, but later confirmed that all clients were impacted. An investigation from incident response company Mandiant revealed that the attack was carried out by state-sponsored hackers.

Marquis states that at the time of the attack, its SonicWall firewall was up to date, multi-factor authentication (MFA) was enabled, and additional security controls were in place, but the threat actor compromised it using information exposed in the SonicWall cloud backup breach.

When contacted directly by Marquis about the MFA bypass, SonicWall allegedly withheld critical information and ignored the request.

"As a result of SonicWall's conduct, Marquis has suffered, and continues to suffer, damages; a loss of customers; harm to its business reputation; lost business opportunities, revenue and profit; and substantial diminution in its enterprise value," Marquis notes in the complaint.

Marquis notes that it is now defending more than 36 consumer class action lawsuits stemming from the ransomware attack it suffered. For this, Marquis now seeks monetary damages, indemnification, contribution for any judgments in the related class actions, attorneys' fees, and equitable relief.

The Cloud Backup Vulnerability That Started It All

The February 2025 API change that introduced the vulnerability represents a critical failure in secure software development practices. Cloud backup services are designed to provide redundancy and disaster recovery capabilities, but when improperly secured, they can become a single point of failure that compromises entire security architectures.

The MySonicWall service stored firewall configuration files containing encrypted credentials and MFA scratch codes. While the data was encrypted at rest, the API vulnerability allowed attackers to access these files without proper authentication. This demonstrates how encryption alone cannot protect against API-level attacks when access controls are insufficient.

What makes this particularly concerning is that the vulnerability affected all SonicWall customers, not just a subset. The initial 5% estimate suggests SonicWall may have been uncertain about the scope of the breach, which is problematic for incident response and customer notification.

The Attack Chain and MFA Bypass

The attack demonstrates a sophisticated understanding of how organizations use SonicWall products. By accessing the cloud backup files, attackers obtained:

• Firewall configuration data
• Encrypted credentials (which could potentially be decrypted with sufficient resources)
• MFA scratch codes (one-time use codes for authentication)

With this information, attackers could bypass the multi-factor authentication that Marquis had properly implemented. This highlights a critical security principle: backup systems must be secured with the same rigor as primary systems, as they often contain the keys to the kingdom.

Legal and Financial Implications

The lawsuit raises important questions about vendor liability in cybersecurity incidents. Marquis is alleging gross negligence, which requires showing that SonicWall acted with conscious disregard for the safety of others. This is a higher standard than simple negligence and suggests Marquis believes SonicWall was aware of risks but failed to address them adequately.

Beyond the direct lawsuit, Marquis faces over 36 consumer class action lawsuits. This creates a cascading liability scenario where a single vendor's security failure triggers multiple layers of litigation. The financial exposure could be substantial, especially given the sensitive nature of the compromised data (Social Security numbers, financial account information).

Industry-Wide Lessons

This incident provides several critical lessons for organizations using cybersecurity products:

1. Cloud backup security is paramount: Backup systems often contain configuration data and credentials that can be used to compromise primary systems. They must be treated as high-value targets.

2. Vendor transparency matters: Marquis alleges that SonicWall withheld information when directly questioned. Prompt, transparent communication during security incidents is essential for customer trust and effective incident response.

3. Defense in depth requires securing all layers: Even with MFA enabled and firewalls up to date, a vulnerability in a supporting service can compromise the entire security posture.

4. Supply chain attacks are evolving: This wasn't a direct attack on Marquis's infrastructure but rather exploitation of a vulnerability in a service provided by their security vendor. Supply chain security is increasingly critical.

The State of Cybersecurity Vendor Liability

This lawsuit could set important precedents for how courts view cybersecurity vendor responsibilities. If successful, it might encourage more organizations to pursue legal action against vendors whose products are compromised, potentially changing how cybersecurity companies approach risk management and customer communication.

The case also highlights the challenges of securing complex, interconnected systems. As organizations rely more heavily on cloud services and third-party infrastructure, the attack surface expands beyond what any single entity can control.

For now, the outcome of this litigation will be closely watched by both cybersecurity vendors and their customers, as it could significantly impact how security products are developed, maintained, and supported in the future.