A legal battle is escalating in Texas after fintech company Marquis filed a lawsuit against firewall vendor SonicWall, claiming that weaknesses in the company’s cloud backup service played a key role in a large ransomware attack.

The case was filed Monday in the U.S. District Court for the Eastern District of Texas, where Marquis is requesting a jury trial. The company argues that a 2025 cybersecurity incident at SonicWall "exposed critical security information for Marquis and every customer that used SonicWall's firewall cloud backup service."

According to the complaint, cybercriminals were able to obtain sensitive firewall configuration backup files, which were later used to infiltrate Marquis’ internal network.

Firewalls are meant to prevent unauthorized access to private networks. However, Marquis claims attackers used data taken from SonicWall’s cloud backup service to analyze how customers configured their firewall protections. This information allegedly provided them with a detailed roadmap to circumvent security controls.

The stolen information reportedly included emergency administrative access credentials known as scratch codes. These codes are designed to enable urgent system access but, according to the lawsuit, were exploited by attackers to bypass protections and gain entry into Marquis’ network.

"SonicWall allowed a threat actor to obtain the keys to bypass that line of defense and walk right into Marquis's internal network, the very thing that SonicWall's firewall was supposed to prevent," the lawsuit states.

After gaining access, the hackers allegedly launched a ransomware attack that disrupted Marquis’ operations and exfiltrated sensitive data.

Marquis, which offers data visualization solutions used by hundreds of banks and credit unions, reported that the attackers accessed "personally identifiable information concerning customers of some of Marquis's financial institution clients."

The compromised data reportedly includes names, dates of birth, mailing addresses, and financial information such as bank account numbers, debit card numbers, and credit card numbers. Social Security numbers were also exposed during the breach.

SonicWall initially disclosed the security incident in mid-September 2025, stating that fewer than 5% of firewall configuration backup files belonging to customers had been taken from storage servers hosted on Amazon’s cloud infrastructure and managed by SonicWall.

However, the company later updated its disclosure in October, acknowledging that the attackers had actually obtained backup files belonging to all customers.

Marquis began notifying impacted individuals in December 2025, explaining that its systems had been compromised earlier in August. SonicWall has not revealed when the attackers initially accessed its environment, leaving questions about how long the vulnerability may have remained undetected.

In the lawsuit, Marquis claims that a modification made in February 2025 to one of SonicWall’s application programming interfaces (APIs) "created a vulnerability exploitable by threat actors." The complaint further alleges that this weakness enabled attackers to retrieve firewall configuration backup files "without proper authentication" by predicting firewall serial numbers.

The company has not yet confirmed the full scope of affected individuals. However, a report filed with the Texas attorney general indicates that at least 400,000 people across the United States may have been impacted. That number could rise as more breach notifications are submitted to regulators in other states.

The case now raises serious questions about SonicWall’s security controls surrounding its cloud backup service. A jury in the Eastern District of Texas will ultimately decide whether the vulnerabilities and subsequent ransomware attack were the result of security failures on SonicWall’s part, as Marquis alleges.