Two American banks have issued public warnings to customers after being affected by a ransomware incident that occurred in August at a widely used financial software provider.
Artisans' Bank and VeraBank notified regulators in Maine last week that recent data breaches traced back to a cyberattack on Marquis Software. The vendor had earlier confirmed it suffered a ransomware attack around August 14, impacting dozens of corporate clients and thousands of individuals connected to those organizations.
In notification letters sent to affected customers, VeraBank clarified that Marquis Software serves as its “customer communication and data analysis vendor.”
“They had access to your data to communicate relevant and necessary updates with you and also to analyze what bank products and services may best fit your needs,” the Texas-based lender stated. “We only provided Marquis with access to your data after they had contractually agreed to secure and protect the same.”
According to VeraBank’s disclosures, 37,318 individuals had personal information compromised, though the bank did not specify exactly what data was taken.
Artisans' Bank, headquartered in Delaware, said it was alerted to the incident by Marquis Software in October. Its investigation revealed that the breach exposed the names and Social Security numbers of 32,344 people.
Both banks emphasized that their internal systems were not compromised and that the stolen information was “maintained by Marquis Software.”
The disclosures make VeraBank and Artisans' Bank the latest financial institutions identified as downstream victims of the Marquis Software attack. The company provides data analytics, compliance services, and digital marketing solutions to hundreds of banks and credit unions nationwide.
Marquis Software stated in its own breach notifications that it contacted federal law enforcement after discovering the cyberattack in August. The company said investigators traced the breach to a vulnerability in a SonicWall firewall device.
According to Marquis Software, the stolen data included names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, dates of birth, and financial account details that did not include security or access codes.
Between October 27 and November 25, Marquis Software notified at least 74 banks, credit unions, and financial institutions that their data was involved in the breach. The company filed reports with regulators in multiple states, including Maine, South Carolina, Washington, and Iowa, and also issued notices on behalf of several affected institutions.
The firm has not responded to inquiries about whether additional financial organizations have since been impacted or how many total individuals were affected.
Based on victim counts collected from various state breach registries, cybersecurity researchers and law firms estimate the total number of affected individuals could range from approximately 788,000 to 1.35 million.
Cybersecurity firm Comparitech reported obtaining a now-deleted breach notification letter from Iowa-based Community 1st Credit Union that alleged Marquis Software paid a ransom to the attackers. The company has not commented on whether a payment was made, and no ransomware group has publicly claimed responsibility for the attack.
