Marquis Breach Expands to 80 Banks: SonicWall Lessons for SAMA Third-Party Risk

The Marquis Software Solutions breach has quietly become one of the most consequential supply-chain incidents of the year for the financial sector — with the disclosed toll now reaching at least 80 banks and credit unions and roughly 824,000 customers. For Saudi banks operating under SAMA Cyber Security Controls, the technical root cause — a SonicWall firewall configuration backup theft — is a textbook case study of how perimeter and vendor risk converge.

What Happened: A Vendor, a Firewall, and 80 Downstream Banks

Marquis is a niche but deeply embedded vendor in U.S. retail banking, providing marketing analytics and compliance reporting tools that ingest core banking data from hundreds of community banks and credit unions. According to Marquis's own filings with the Maine Attorney General and a February 2026 lawsuit it filed against SonicWall, attackers exfiltrated firewall configuration backup files belonging to Marquis. Those configurations contained the keys needed to pivot into the internal network, exfiltrate sensitive customer data, and detonate ransomware.

The exposed records include names, dates of birth, postal addresses, Social Security numbers, bank account numbers, and debit and credit card numbers — precisely the data set that fuels downstream account takeover, card fraud, and synthetic identity attacks. American Banker's analysis of state attorney general disclosures shows the impact has now grown to at least 80 institutions, well beyond Marquis's initial estimate.

Why the SonicWall Configuration Theft Matters

This is not a typical ransomware story. The attackers did not phish an employee or exploit a Windows zero-day on an endpoint. They obtained encrypted firewall configuration backup files — the kind security teams routinely store on cloud portals or vendor-managed services — and successfully extracted the credentials, IPsec pre-shared keys, VPN user databases, and routing maps inside them. Once an adversary holds a firewall's backup file, they effectively hold a blueprint of the network and a fast-track to lateral movement.

The Marquis filings highlight a systemic weakness across the financial sector: perimeter device backups are often treated as low-sensitivity operational data, when in reality they are crown-jewel artifacts. They contain administrator credentials, SSL VPN configurations, NAT mappings, RADIUS secrets, and certificate keys. Any compromise of a firewall vendor's storage layer is functionally a compromise of every customer environment configured on those devices.

Impact on Saudi Financial Institutions Under SAMA CSCC

Most Saudi banks operate hybrid perimeter stacks combining Fortinet, Palo Alto, Cisco, Check Point, and SonicWall appliances, often supplemented by managed security service providers (MSSPs) who hold backup copies of those configurations. Under SAMA CSCC subdomain 3.3.14 (Third-Party Cyber Security) and subdomain 3.3.5 (Cryptography), banks are explicitly required to enforce cryptographic protection of sensitive operational artifacts and to assess third-party cyber risk on a continuous basis — not just at onboarding.

The NCA Essential Cybersecurity Controls (ECC-1:2018), particularly control 2-12 on third-party cybersecurity, and the newer NCA NCNICC-1:2025 controls expand this expectation to the wider private sector. The PDPL adds another layer: a downstream breach caused by a vendor still triggers the controller's notification obligations to SDAIA within 72 hours, regardless of where the ransomware was deployed. A Marquis-style incident in Saudi Arabia would therefore expose the regulated bank — not just the vendor — to enforcement action.

Recommended Actions for Saudi Banks

1. Inventory every party that holds firewall, router, load balancer, or WAF configuration backups — including MSSPs, integrators, and the appliance vendor's cloud portal — and treat each as a critical third party under your TPRM register.
2. Encrypt all network device configuration backups with customer-managed keys (CMK) stored in your own HSM or KMS; never rely solely on vendor-side encryption that the vendor itself can decrypt.
3. Rotate all secrets stored inside firewall configurations on a defined cadence: pre-shared keys, RADIUS shared secrets, SNMP community strings, local admin passwords, certificate private keys, and SSL VPN signing keys.
4. Segment the management plane: enforce out-of-band, jump-host-only access to firewalls, with phishing-resistant MFA (FIDO2 / WebAuthn) and privileged access management (PAM) session recording.
5. Update vendor contracts to require breach notification within 24 hours, evidence of SOC 2 Type II or ISO 27001 audits, and a right-to-audit clause aligned with SAMA CSCC subdomain 3.3.14.
6. Run a tabletop exercise specifically simulating the loss of a firewall configuration backup at a third-party vendor — most incident response playbooks do not currently cover this scenario.
7. Validate detection coverage for the post-compromise indicators reported in the Marquis intrusion: anomalous SSL VPN logins from new geographies, unexpected administrative changes to NAT and policy rules, and large outbound data flows to file-sharing or anonymization services.

Conclusion

The Marquis breach is a reminder that in financial services, the weakest perimeter is rarely the bank's own — it is the perimeter of the smaller vendor that holds your data, your configurations, or your keys. The expansion from 672,000 to 824,000 affected customers across 80 institutions shows how quickly a single vendor incident becomes a sector-level event. SAMA CSCC, NCA ECC, and PDPL all converge on the same conclusion: third-party cybersecurity is no longer a compliance checkbox; it is a board-level risk that demands continuous monitoring, contractual rigor, and technical validation.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on third-party risk and perimeter device hardening.