Fintech firm Marquis is suing its firewall provider, SonicWall, alleging that a security breach at SonicWall in created a vulnerability that allowed attackers to compromise Marquis’ network and steal customer data. The lawsuit, filed in the U.S. District Court for the Eastern District of Texas, seeks a jury trial and claims SonicWall’s failure to secure its cloud backup service led to “significant reputational, operational, and financial harm” for Marquis.
The core of the dispute centers on Marquis’ use of SonicWall’s MySonicWall cloud backup service. According to the complaint, the breach at SonicWall exposed critical security information, including firewall configuration files, for all customers utilizing the service. Marquis alleges that hackers exploited this stolen configuration data to bypass its firewall defenses during a ransomware attack that began in .
“SonicWall allowed a threat actor to obtain the keys to bypass that line of defense and walk right into Marquis’s internal network, the very thing that SonicWall’s firewall was supposed to prevent,” the lawsuit states. Firewalls are fundamental network security devices designed to block unauthorized access. Marquis contends that the attackers didn’t exploit a vulnerability *in* the firewall itself, but rather used information stolen from SonicWall to circumvent it.
Specifically, the complaint alleges that hackers leveraged emergency passcodes – often referred to as “scratch codes” – stored within the stolen firewall configuration files. These codes are intended for emergency access but, in this case, provided a backdoor into Marquis’ network. Marquis, which provides data analytics, compliance reporting, CRM tools, and digital marketing services to over 700 banks, credit unions, and mortgage lenders, says the breach resulted in the theft of personally identifiable information (PII) belonging to customers of its financial institution clients.
The stolen data includes names, dates of birth, postal addresses, and financial information such as bank account, debit, and credit card numbers, as well as Social Security numbers. While Marquis has not disclosed the total number of individuals affected, a listing with the Texas Attorney General indicates that at least 400,000 people across the U.S. Are known to have been impacted. The company anticipates this number will rise as more breach notifications are filed.
SonicWall first acknowledged a breach of its systems in , initially stating that fewer than 5% of customer firewall configuration backup files had been exfiltrated. However, the company later conceded in that *all* customer firewall backup files had been stolen. The company has not yet publicly detailed the root cause of the breach.
Marquis alleges that SonicWall’s negligence stems from a code change made to one of its APIs in . The company claims this change created a vulnerability that allowed attackers to access customer firewall configuration backup files “without proper authentication” by guessing firewall serial numbers. This suggests a weakness in how SonicWall verified access to the backup files, potentially allowing unauthorized retrieval of sensitive configuration data.
“While we were able to secure our network and client data quickly, our investigation revealed that our exposure to threat actors was due to SonicWall’s network breach and failure to notify us that our firewall protection was potentially compromised,” Marquis CEO Satin Mirchandani said in a statement. Mirchandani also stated that SonicWall has not yet provided non-public information regarding the cause of its breach, and Marquis hopes to obtain more details through the litigation process.
This case highlights the growing risks associated with supply chain security. Marquis relied on SonicWall for firewall protection, and the breach at SonicWall directly led to a compromise of Marquis’ network. This illustrates how a vulnerability at a third-party provider can have cascading effects on downstream customers. The incident also underscores the importance of robust backup security measures, particularly for critical configuration data.
The lawsuit follows reports from that Marquis was planning to seek compensation from SonicWall. The company had already informed its customers that it believed SonicWall was responsible for the data breach. The ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices, even those with multi-factor authentication enabled, further demonstrate the persistent threat landscape surrounding the company’s products. Researchers suspect attackers are leveraging previously stolen credentials and potentially exploiting weaknesses in OTP seed generation, as reported in .
A spokesperson for SonicWall did not immediately comment on the lawsuit.
