Marquis Software Solutions Data Breach Impacts Over 1.3M Exposing Social Security Numbers

Marquis Software Solutions, a technology provider for banks and credit unions, recently experienced one of the largest data breaches of the year that has affected over 1.3 million people across several states. The incident was first detected on Aug. 14, 2025, when Marquis identified suspicious activity on its network.

A subsequent investigation revealed that an unauthorized third party had accessed and acquired files containing sensitive customer data from Marquis’s systems. The exposed information includes names, addresses, dates of birth, Social Security numbers or tax ID numbers and financial account numbers.

The breach was discovered after Marquis paid a ransomware demand shortly after Aug. 14, 2025, but it was not until Oct. 27, 2025, that Marquis confirmed the extent of the data involved and began notifying affected institutions.

How many people are affected?

As of December 6, 2025, across over a dozen disclosures made by Marquis and affected data owners to state attorneys general offices, the total number of people affected is up to 1,318,195 in the United States.

Residents affected by state:

• Iowa: 10,730
• Maine: 42,784
• Massachusetts: 280,375
• New Hampshire: 60,000
• South Carolina: 84,721
• Texas: 354,289
• Washington: 269,773

In some cases, affected credit unions reported directly to state attorney general offices and included both state and national numbers of people affected. The total number of Americans affected for this subset of data owners include 3,272 Anderson Bancshares customers, 160,000 CoVantage Credit Union members, and 51,000 Norway Savings Bank customers.

Marquis Software Solutions' response

Following the breach, Marquis took several steps to contain the incident and strengthen its cybersecurity posture. The company immediately launched an investigation with the help of cybersecurity experts and notified law enforcement. Marquis has since implemented enhanced security controls, including updating and patching firewall devices, rotating passwords, deleting unused accounts, enabling multifactor authentication, increasing firewall logging, applying stricter account lockout policies and geo-IP filtering, and deploying endpoint detection and response tools.

To support affected individuals, Marquis is offering complimentary credit monitoring and identity protection services through Epiq Privacy Solutions ID, typically for 12 to 24 months. These services include three-bureau credit monitoring, dark web monitoring, identity restoration assistance, lost wallet support and up to $1 million in identity theft insurance. Impacted individuals are being notified by mail with instructions on how to enroll in these services.

Given the nature of the breach and the types of data exposed, individuals should remain vigilant for signs of identity theft or fraud. Marquis recommends regularly reviewing account statements and credit reports, placing fraud alerts or security freezes on credit files, and taking advantage of the free credit monitoring being offered. The company has provided a dedicated response line for questions and additional support.

Which Credit Unions are Affected?

The breach has affected a number of Marquis' downstream vendors that have made disclosures to various state attorneys general offices.

Banking institutions impacted include, but are not limited to:

• Anderson Bancshares, Inc.
• BayFirst Financial
• Bellwether Community Credit Union
• Cape Code Five
• Community 1st Credit Union
• CoVantage Credit Union
• Gesa Credit Union
• Industrial Credit Union of Whatcom County
• Interior Federal Credit Union
• iQ Credit Union
• Maine State Credit Union
• Norway Savings Bank
• Sound Community Bank
• Suncoast Credit Union
• Time Bank
• Valley Strong Credit Union

Official disclosures can be found on the attorneys general websites for Maine, Massachusetts, California, New Hampshire, Oregon, Texas, South Carolina, Vermont, Iowa and Washington.