Breach of Financial Services Provider May Have Exposed Sensitive Data of Almost 800K
Texas-based financial services provider Marquis Software Solutions may have suffered a breach that leaked the sensitive information of almost 800,000 customers, a law firm investigating the incident said Monday. Multiple states also recently reported the breach.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Marquis faced a ransomware attack on Aug. 14 in which “an unauthorized third party gained access to Marquis' network through its SonicWall firewall,” said a press release from Schubert Jonckheer, which is investigating the breach on behalf of the 788,000 potential victims.
The financial services provider began notifying impacted individuals around Dec. 3, the release noted. The delay “may have violated state and federal laws,” Schubert Jonckheer added.
The culprit gained access to data from 74 banks and credit unions, which were current and former clients of Marquis, including Discovery Federal Credit Union and Fidelity Cooperative Bank, the law firm said. Social Security numbers, taxpayer identification numbers and financial account information were among the data affected.
A sample notification letter from Marquis said upon discovery of the ransomware attack, it “promptly launched an investigation and engaged cybersecurity experts through legal counsel to assist,” as well as notified law enforcement.
A “thorough review of the files potentially accessed” revealed what information was impacted, which matched the data outlined in the law firm release. Marquis added that it has “no evidence of misuse or attempted misuse of this personal information as a result of this incident.”
The financial services provider also said that it notified affected business customer data owners from Oct. 27 to Nov. 25 about "the potential involvement of personal information collected through them.” Since then, “Marquis has been working with some of these data owners -- at their direction -- to facilitate appropriate notifications to individuals and regulatory bodies.”
On Dec. 2, several state attorneys general reported the incident, including Texas, which noted that 354,289 state residents were affected but none had been notified yet; Maine, which noted 42,784 state residents were impacted; and California, which didn't say how many residents were impacted.
South Carolina reported on Nov. 30, noting that 84,721 state residents were affected. New Hampshire’s AG reported the breach on Dec. 1. Vermont and Washington state reported the event the earliest, on Nov. 26. 269,773 were impacted in Washington.
After discovering the data security incident, Marquis "immediately enacted our response protocols and proactively took the affected systems offline to protect our data and our customers’ information," a spokesperson emailed us Tuesday.
"The incident was quickly contained, and our investigation was recently completed," which "determined that an unauthorized third party accessed certain non-public information within our network," the spokesperson said. "However, there is no evidence indicating that any personal information has been used for identity theft or financial fraud," and Marquis has "notified potentially affected individuals."