Credit: VeraBank
Two U.S. banks have recently notified customers about their exposure to a ransomware attack that impacted a widely used financial software company in August.
Artisans’ Bank and VeraBank, both U.S.-based, recently informed Maine regulators that data breaches affecting their customers originated from a cyberattack on Marquis Software. This software company had previously reported a ransomware incident around August 14, which impacted dozens of its corporate clients and thousands of their customers.
VeraBank clarified to affected customers that Marquis Software functioned as its “customer communication and data analysis vendor.” The Texas-based bank indicated that Marquis Software had access to customer data for communication and analysis purposes, with contractual agreements in place to ensure data security.
A total of 37,318 individuals had their information compromised, although the specific types of data stolen were not detailed in the letters.
Artisans’ Bank, located in Delaware, stated it was informed of the incident by Marquis Software in October. The cyberattack resulted in the exposure of names and Social Security numbers for 32,344 people.
Both financial institutions confirmed that their internal systems were not compromised, with the stolen data residing solely within Marquis Software’s systems.
VeraBank and Artisans’ Bank represent recent additions to the list of financial institutions affected by the Marquis Software breach. Marquis Software supplies data analytics, compliance, and digital marketing services to numerous credit unions and banks throughout the U.S.
Marquis Software’s own notifications about the incident stated that federal law enforcement was alerted after the attack was discovered in August. The investigation identified a vulnerability in its SonicWall firewall device as the point of entry. The compromised personal data included names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, financial account information (excluding security or access codes), and dates of birth.
From October 27 to November 25, Marquis Software issued notifications to at least 74 banks, credit unions, and other financial entities concerning their involvement in the data breach. The company submitted its own notices to regulators in states such as Maine, South Carolina, Washington, and Iowa, and also provided breach notifications on behalf of several other institutions.
Marquis Software did not respond to requests for comment regarding any increase in affected financial institutions or the overall victim count.
Compiling victim data from multiple state breach registries, law firms and cybersecurity researchers suggest the total number of affected individuals likely ranges from 788,000 to 1.35 million.
Comparitech, a cybersecurity firm, acquired a breach notification letter, since removed, from Iowa’s Community 1st Credit Union. This letter reportedly claimed that Marquis Software paid a ransom to the group responsible for the attack.
Marquis Software did not comment on the alleged ransom payment. No ransomware group has publicly taken credit for the incident.
