One Vendor Got Hacked and 80 Banks Lost Your Data

By Cybersol·April 10, 2026·7 min read
SourceOriginally from One Vendor Got Hacked and 80 Banks Lost Your Data by GblockView original

Vendor Compromise at Scale: How a Single SaaS Breach Cascaded Across 80 Banks and Exposed Systemic Third-Party Risk Governance Failures

Why This Matters at Board and Regulatory Level

The August 2025 Marquis Software Solutions ransomware incident is not a story about a single vendor failure. It is a structural indictment of how financial institutions govern third-party cyber risk at scale. When a vulnerability in one security vendor's product (SonicWall) enables compromise of a fintech platform (Marquis), which then exposes 780,000+ customer records across 80+ banks, the failure cascades across an entire ecosystem. This incident reveals gaps in vendor due diligence, contractual liability allocation, incident notification timelines, and supply chain risk governance that regulators under NIS2 and DORA will scrutinize for years. For boards and CISOs, this case demonstrates why vendor risk cannot remain a procurement function—it is a governance and liability issue.

The Anatomy of Cascading Third-Party Risk

The breach mechanics illustrate a three-layer compromise chain. SonicWall introduced an API vulnerability in February 2025 that allowed unauthenticated access to firewall configuration backups. Marquis, relying on SonicWall's security posture, did not detect the compromise until August—a six-month window. By then, attackers had copied complete financial identity datasets: Social Security numbers, bank account numbers, debit and credit card numbers, and taxpayer identification numbers. The stolen data is not recoverable through standard breach response; it enables account takeover, fraudulent loans, and tax refund theft for years. What makes this cascade particularly damaging is that Marquis itself became a pivot point. The fintech platform held sensitive customer data on behalf of over 700 financial institutions, but only 80+ institutions have been publicly identified as affected. The actual exposure footprint remains unclear—a governance failure in itself.

Contractual and Notification Gaps Expose Institutional Liability

The incident reveals three contractual weaknesses that most financial institutions overlook. First, vendor contracts rarely include explicit security baselines tied to data access level and exposure scope. Banks were entering customer information directly into Marquis's platform for CRM workflows and compliance reporting, yet many institutions could not immediately identify what data Marquis held on their behalf. This suggests contracts lacked data inventory requirements and audit rights. Second, incident notification clauses are typically vague on timing and scope. Some affected banks discovered the breach through public disclosure rather than direct vendor notification—a violation of NIS2's supply chain risk management requirements and DORA's third-party risk provisions. Third, liability caps are often misaligned with actual exposure. A vendor with access to customer data across 80 institutions cannot reasonably be capped at subscription fees or standard indemnification limits. The Marquis incident will likely generate litigation across multiple jurisdictions, with banks claiming inadequate security, delayed notification, and failure to maintain reasonable safeguards. Regulators will examine whether acquiring institutions conducted adequate due diligence and whether contracts contained provisions requiring security audits, patch management verification, and real-time threat visibility.

Why Annual Vendor Questionnaires Are Insufficient

The financial industry's standard approach to vendor risk management—annual compliance questionnaires—was designed for a different threat landscape. As cybersecurity firm SBS noted in its analysis, questionnaires do not confirm whether firewalls are patched, VPN accounts are secured, or unused credentials have been removed. The Marquis breach occurred because a known vulnerability in SonicWall's firewall was exploited; this is not a configuration error or policy violation—it is a failure to patch a critical security product. Annual questionnaires cannot detect this. Effective vendor risk governance requires continuous monitoring of third-party infrastructure dependencies, patch management timelines, and incident response capabilities. This means contractual provisions for real-time security event notification, quarterly security assessments (not annual), and explicit remediation timelines for critical vulnerabilities. Most financial institutions lack the technical capability to monitor vendor infrastructure independently; they rely on vendor self-reporting. The Marquis case demonstrates that self-reporting is insufficient when the vendor itself is unaware of the compromise for six months.

Regulatory Exposure Under NIS2 and DORA

Under NIS2 (Network and Information Security Directive 2), financial institutions classified as essential entities must implement supply chain risk management controls that include vendor security assessments, incident notification requirements, and contractual provisions for security audits. DORA (Digital Operational Resilience Act) extends this to all regulated financial entities, requiring third-party risk management frameworks that assess, monitor, and mitigate cyber risks from critical service providers. The Marquis incident creates immediate regulatory exposure for multiple parties. Regulators will examine whether affected banks conducted adequate due diligence on Marquis before granting access to customer data. They will scrutinize whether contracts contained provisions requiring Marquis to maintain reasonable security controls and notify banks of incidents within defined timeframes. They will assess whether banks had contractual rights to audit Marquis's security posture and whether those audits occurred. For Marquis, regulators will examine whether the company maintained reasonable safeguards given its access to sensitive financial data across 80+ institutions. The fact that Marquis did not immediately detect a six-month compromise of its systems will likely be cited as evidence of inadequate security monitoring and incident response capabilities.

Cybersol's Governance Perspective: Three Overlooked Risk Layers

Most financial institutions overlook three critical elements in vendor risk governance. First, vendor contracts must include explicit security baselines tied to access level and data exposure, with audit rights and continuous monitoring provisions. A vendor with access to customer financial data should be required to maintain SOC 2 Type II certification, conduct annual penetration testing, and provide real-time security event logs to the acquiring institution. Contracts should specify remediation timelines for critical vulnerabilities (24–72 hours, depending on severity) and include contractual penalties for non-compliance. Second, incident notification clauses must require vendor notification within hours of discovery, not days or weeks. The Marquis breach was discovered in August but not publicly disclosed until months later; affected institutions had no opportunity to implement early warning systems or accelerate breach response. Contracts should require vendors to notify acquiring institutions of any security incident affecting customer data within 4 hours of discovery, with detailed incident reports within 24 hours. Third, liability provisions must reflect actual exposure. A vendor with access to customer data across 80 institutions cannot be capped at subscription fees. Liability should include breach notification costs, credit monitoring, regulatory fines, and reputational damage. Most vendor contracts cap liability at 12 months of fees; this is inadequate for vendors with access to sensitive financial data. Vendor risk governance should be owned by the CISO, not procurement. Procurement focuses on cost and service delivery; CISOs focus on risk mitigation and regulatory compliance. The Marquis incident demonstrates that vendor risk is a security and governance issue, not a procurement issue.

Closing Reflection

The Marquis Software Solutions breach is a watershed moment for third-party risk governance in financial services. It demonstrates that annual questionnaires, standard liability caps, and vendor self-reporting are insufficient when vendors have access to sensitive customer data across an entire ecosystem. Regulators under NIS2 and DORA will use this incident as a benchmark for assessing vendor risk governance frameworks. Financial institutions should immediately review vendor contracts to ensure they include explicit security baselines, continuous monitoring provisions, rapid incident notification requirements, and liability provisions aligned with actual data exposure. For a detailed analysis of the breach mechanics, affected institutions, and regulatory implications, review the original source material from Gblock.

Original Source: Gblock, "One Vendor Got Hacked and 80 Banks Lost Your Data," https://www.gblock.app/articles/marquis-ransomware-breach-80-banks

Cybersol B.V. is an EU-focused cyber governance company specializing in vendor risk, contractual notification, and regulatory exposure. This analysis reflects governance-level interpretation of third-party risk and is not legal advice.

← Back to Blog