824,000 Customers Exposed: Marquis-SonicWall Lessons for Saudi Banks

The breach toll at Marquis Software Solutions — a marketing and compliance vendor quietly embedded in more than 700 U.S. banks and credit unions — has climbed from an initial 400,000 victims to 823,548 consumers across 80 financial institutions. The entry point was not a sophisticated zero-day. It was an unpatched SonicWall SSL-VPN firewall exploited by the Akira ransomware affiliate program using CVE-2024-40766, a flaw disclosed 20 months ago. For Saudi financial institutions operating under SAMA CSCC, the Marquis case is the clearest third-party risk cautionary tale of 2026.

How CVE-2024-40766 Became a Banking Supply Chain Crisis

Marquis disclosed that attackers breached its SonicWall firewall on August 14, 2025, the same day its SOC flagged suspicious network activity. The initial access vector has been attributed to CVE-2024-40766 — an improper access control weakness in SonicOS management and SSL-VPN components affecting Gen 7 TZ, NSa, and SMA series devices. Akira affiliates have refined their tradecraft against this CVE: they harvest VPN credentials, steal one-time passwords in transit, and effectively neutralize MFA before pivoting to internal assets. Arctic Wolf and Bitsight telemetry across late 2025 and early 2026 show Akira consistently returning to SonicWall estates whose operators believed patch deployment alone was sufficient — without rotating credentials or invalidating sessions.

Why This Was a Vendor Breach, Not a Bank Breach

None of the 80 affected banks and credit unions were individually compromised. Their customer data — names, dates of birth, postal addresses, Social Security numbers, and bank account, debit and credit card numbers — was sitting inside Marquis because the vendor processes marketing analytics and regulatory compliance workflows on behalf of its clients. Each institution had signed a Master Services Agreement. Each had received vendor questionnaires. Yet none had enforceable visibility into Marquis's firewall hygiene or SSL-VPN configuration. Marquis has since filed suit against SonicWall, but the contractual liability chain back to the banks remains unresolved — and in Saudi Arabia, regulators would not wait for a U.S. courtroom to decide.

Impact on Saudi Financial Institutions

Under SAMA Cyber Security Framework (CSF) and the Cyber Security Compliance Certificate (CSCC), third-party cyber risk is not a checkbox — it is an explicitly audited control domain. The framework obliges member organizations to assess, contractually bind, continuously monitor, and segment third parties that handle customer data or connect to core banking environments. The Marquis scenario maps directly to gaps SAMA examiners probe:

• CSF 3.3.14 Third Party Security: Requires pre-engagement security assessments and ongoing monitoring — not one-time questionnaires.
• CSF 3.3.8 Vulnerability Management: Extends to vendor environments where member data resides, including perimeter devices like SonicWall, Fortinet, and Palo Alto firewalls.
• CSF 3.3.6 Identity & Access Management: Demands MFA enforcement patterns resilient to OTP interception — the exact technique Akira used.

The parallel regulatory pressure from NCA ECC-2:2024 (Domain 4 — Third-Party and Cloud Computing Cybersecurity) and the PDPL data processor obligations mean a Saudi bank whose marketing vendor was similarly breached would face simultaneous exposure from SAMA, NCA, and the Saudi Data & AI Authority (SDAIA). Customer notification timelines under PDPL are 72 hours — not the months Marquis took to complete its forensic expansion.

Practical Recommendations for Saudi CISOs

1. Map every vendor touching customer PII or connecting inbound to your estate. Create a living registry with concrete data categories, integration mode (API, SFTP, VPN), and last security attestation date. Marquis-type marketing and compliance vendors are the blind spot.
2. Demand evidence of perimeter CVE remediation, not attestations. Require quarterly proof that edge devices — SonicWall, Fortinet, Ivanti, Palo Alto — are patched to current firmware. Reject self-assessments; require vendor SOC 2 Type II or ISAE 3402 reports that name the devices in scope.
3. Rewrite contracts to include right-to-audit and session invalidation clauses. Saudi financial institutions should embed the right to perform third-party penetration testing, request firewall configuration extracts, and mandate credential rotation following any suspicious activity — not only confirmed incidents.
4. Treat MFA as necessary but insufficient. Deploy phishing-resistant authentication (FIDO2 / WebAuthn) for any vendor with remote access to your environment. Require conditional access policies that flag impossible travel and unusual device postures on vendor logins.
5. Simulate the "trusted vendor ransomware" scenario in your next tabletop. Test PDPL 72-hour notification workflows, SAMA incident reporting timelines, and customer communication playbooks. Most Saudi banks have rehearsed internal incidents; few have practiced cascading third-party exposure.
6. Deploy continuous third-party attack surface monitoring. Tools that fingerprint vendor-facing SSL-VPN versions, expose weak cipher suites, and flag CISA KEV-listed CVEs in real time turn annual reviews into operational intelligence.

Conclusion

The Marquis-SonicWall incident is not a foreign story. It is a template. The same Akira affiliates, the same firewall families, and the same underinvested vendors exist across the GCC — and Saudi Arabia's financial sector, with its accelerating digitization under Vision 2030 and Open Banking rollouts, is a natural next target. SAMA will not accept "our vendor was breached" as a mitigating defense; the framework treats it as a failure of your own third-party risk program.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a third-party risk gap analysis mapped to CSF 3.3.14 and NCA ECC-2 Domain 4.