Hackers stole the personal and financial information of more than 780,000 individuals after hacking into the network of fintech firm Marquis.
The incident was discovered on August 14, but the investigation into the stolen information took until the end of October to complete.
Last week, Marquis started sending written notification letters to the affected individuals and filed data breach notices with Attorney General’s Offices in several US states.
“Our investigation determined that an unauthorized third party accessed our network and may have accessed and acquired certain files from our systems,” the notification letter filed with the Maine AGO reads.
According to Marquis, the hackers stole personal information such as names, addresses, Social Security numbers, dates of birth, and taxpayer identification numbers.
Additionally, they compromised financial information, including account numbers and credit/debit card numbers.
“At this time, we have no evidence of the misuse, or attempted misuse, of personal information as a result of this incident,” the notification letter reads.
Based on filings with Iowa, Maine, Massachusetts, New Hampshire, South Carolina, Texas, and Washington authorities, roughly 788,000 individuals have been affected by the Marquis data breach.
Marquis is providing them with free credit monitoring and identity protection services for one or two years.
The company says the hackers gained access to its environment through the exploitation of a SonicWall firewall vulnerability.
No information on the threat actor responsible for the Marquis data breach has been shared. However, security researchers blamed the Akira ransomware group for a surge in attacks targeting SonicWall appliances in August and September.
Based in Texas, Marquis provides marketing and compliance software and services to over 700 banks and credit unions across the US, but it is unclear how many have been affected.
A Marquis spokesperson sent the following statement to SecurityWeek:
“In August, Marquis Marketing Services experienced a data security incident. Upon discovery, we immediately enacted our response protocols and proactively took the affected systems offline to protect our data and our customers’ information. We engaged leading third-party cybersecurity experts to conduct a comprehensive investigation and notified law enforcement.
The incident was quickly contained, and our investigation was recently completed. It was determined that an unauthorized third party accessed certain non-public information within our network. However, there is no evidence indicating that any personal information has been used for identity theft or financial fraud. We have notified potentially affected individuals.
We know our customers place great trust in us, and at Marquis, we take that responsibility seriously by making the protection of their information our highest priority. We are extremely appreciative of the cooperation, understanding, and support of our employees and customers during this time.”
*Updated with statement from Marquis.
Related: Personal Information of 33.7 Million Stolen From Coupang
Related: Thousands of Secrets Leaked on Code Formatting Platforms
Related: Ukrainian Extradited to US Faces Charges in Jabber Zeus Cybercrime Case
Related: Penn and Phoenix Universities Disclose Data Breach After Oracle Hack
