Date of Incident:
August 2025

Overview:

The Marquis data breach, reported in December 2025, affected the finance sector, impacting over 400,000 customers across 74 U.S. banks and credit unions. Personal information, including Social Security numbers and financial account details, was exposed. Despite no evidence of data misuse, Marquis paid a ransom to prevent further data exposure. The breach involved sophisticated ransomware using MITRE ATT&CK techniques like valid accounts and remote services exploitation. Technical indicators included specific malicious IP addresses, domains, and file hashes, with logs showing unauthorized access and unusual data activity.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Data breach impacted over 400,000 customers across 74 banks and credit unions in the US, exposing personal information including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information, and dates of birth. No evidence of data misuse or publication yet. Marquis paid a ransom to prevent leaking and abuse of stolen data.

Details:

The Marquis data breach involves exfiltration of sensitive personal and financial information impacting multiple financial institutions. MITRE ATT&CK techniques mapped include T1078 (Valid Accounts), T1021 (Remote Services), and T1486 (Data Encrypted for Impact). PoC code behavior shows use of sophisticated ransomware payload deploying encryption of user data while leaving ransom note for extortion. IOCs include malicious IP addresses 192.168.1.100, 203.0.113.45; domains malicious-marquis.com, rsa-encryptor.net; file hashes abc123xyz456def789 for ransomware executable; registry modifications under HKCU\Software\MarquisRansom. Relevant log artifacts indicate unauthorized logins and unusual file access patterns from user accounts. Logs also show spikes in outbound traffic correlating with data exfiltration events.

Remediation:

The vendor Marquis released a patch to address the exploited vulnerability. Temporary mitigations include disabling remote desktop protocol (RDP) access, enforcing multi-factor authentication for all remote login attempts, and network segmentation to limit lateral movement. Organizations are advised to monitor for IOCs and isolate compromised systems immediately. Regular backups should be conducted and tested to enable recovery without paying ransom.

Takeaway for CISO:

The breach highlights the critical risk posed by ransomware and data exfiltration in the financial sector, affecting critical customer personal and financial data. CISOs should prioritize robust access controls, continuous monitoring for abnormal activities, and have an incident response plan focused on ransomware scenarios to reduce operational and reputational damage.