Community 1st Data Breach: Sensitive Information Exposed

On Aug. 14, 2025, Community 1st Credit Union, a member-owned financial institution serving Iowa and Missouri, was notified of a significant data breach involving its third-party vendor, Marquis Software Solutions. Marquis, which provides marketing services to the credit union, experienced a cybersecurity incident that resulted in unauthorized access to sensitive member data.

Initially, it appeared that no sensitive Community 1st Credit Union member information was involved. However, after Marquis paid a ransomware demand shortly after Aug. 14, 2025, a subsequent investigation revealed that nonpublic personal information related to Community 1st Credit Union members had in fact been compromised.

On Oct. 27, 2025, Marquis formally notified Community 1st Credit Union that files containing member data were included in the breach. The credit union confirmed on Oct. 28 that, since 2020, they had been using unique identifiers in place of sensitive data when transmitting information to Marquis.

However, the compromised files appear to have originated from records provided prior to 2020, before this extra layer of security was implemented. On Nov. 7, 2025, Marquis provided raw data to the credit union, confirming that sensitive member information was included in the breach.

According to the disclosure filed with the Iowa Attorney General, the breach affected 6,511 Iowa residents and a total of 6,876 members. The types of information exposed include personally identifiable information (PII) such as name, date of birth, account number, and Social Security or Tax ID number.

Community 1st Credit Union's response

In response to the breach, Community 1st Credit Union worked closely with Marquis Software Solutions to investigate the incident and determine the scope of the data exposure.

Upon learning that sensitive member data was included in the files accessed by the attackers, the credit union confirmed that their current data transmissions use unique identifiers, reducing the risk of similar breaches in the future. Marquis has taken steps to enhance its security protocols and engaged cybersecurity experts to assist with the investigation.

To support those affected, Marquis is providing a complimentary membership to Epiq Privacy Solutions ID, which includes credit monitoring, dark web monitoring, credit protection, change of address monitoring, and identity restoration services.

If you receive a data breach notice from Community 1st Credit Union you may want to:

• Sign up for the free credit monitoring and identity theft protection services, offered by the company.
• Monitor your credit reports and financial accounts for any unusual activity.
• Be alert for phishing emails or phone calls that may use your exposed information.
• Consider placing a fraud alert or credit freeze with major credit bureaus.