PLANO, Texas–The CEO of a company with hundreds of credit union clients whose systems were breached, resulting in the exposure of considerable member data and resulting litigation, is offering CU leaders an update on where things stand now, how the company learned of the breach and then responded, and the lessons it has gained that it is now sharing.
In August 2025, Marquis Software Solutions was hit with a ransomware attack that exposed the sensitive personal and financial data of over 672,000 individuals across hundreds of banks and credit unions. According to Marquis, the attackers exploited SonicWall firewall vulnerability to gain access to personal data that included names, addresses, SSNs, and financial account details. Multiple class actions have been filed, including by Marquis against SonicWall, as the CU Daily reported here.
Below, Marquis Software CEO Satin Mirchandani discusses everything that has happened since last year and concludes with some hard-learned but beneficial advice.
The CU Daily: First, share with readers how you first became aware of the breach and how did awareness of the size of that breach evolve and grow (if it did)?
Mirchandani: The breach initially manifested as an outage in one of our datacenters, which was traced back to some instances of our EDR (endpoint detection and response) software detecting and attempting to block ransomware activity. That resulted in partially damaged systems that were not fully functional and thus manifested as an outage.
The CU Daily: What was your initial response, and how soon did you start hearing from clients with concerns?
Mirchandani: Our CISO served as incident commander, guiding us through the threefold hierarchy of priorities. The top priority was to immediately lock down and isolate our infrastructure in order to prevent movement by the threat actor. Once that was accomplished, the next priority was to identify and remediate the attack vector and confirm the removal of the threat actor from the infrastructure. In some cases, that involved rebuilding systems from a “known good” state. The final priority was to make production systems available for use by clients.
Recognizing the need for objectivity and third-party expertise/capacity, we immediately retained privacy counsel, who then proceeded to retain the necessary third parties, including DFIR (Digital Forensics and Incident Response), ransomware negotiation, and large-scale system restoration.
Clients became aware of the issue and started contacting us with questions that very morning. We sent out a broadcast notification to all clients later in the day, identifying that we had experienced a security incident, sharing what we knew, emphasizing that we had retained third parties to fill in the picture for us, and committing to providing additional information as it became available.
The CU Daily: Have you confirmed the breach was the result of a third party (SonicWall).
Mirchandani: While this is currently the subject of ongoing litigation, I am able to say that the manner in which our MFA (multi-factor authentication) was defeated – a prerequisite for the data breach – lines up exactly with what we now understand to have occurred in the breach of SonicWall’s cloud backup service and exfiltration of credentials.
The CU Daily: Tell us about your decision to personally go visit with clients. Who did you see, how much travel was involved, what was response and what was your message?
Mirchandani: The first client CEO I spoke with shared advice that laid the groundwork for my response. He said I needed to be the face of the incident in order to assure clients that we were taking it seriously. I’m grateful to this client for this advice because it affirmed my instincts to be on the frontline of our communications, where I could immediately receive feedback, respond appropriately, and make additional changes as necessary.
Meeting Cadence: our meeting cadence had 3 stages:
Since we are a national firm serving hundreds of FIs around the country, it quickly became apparent that a rapid sequence of Zoom calls was the most efficient way to reassure clients individually. I probably did over a hundred client calls in those initial weeks (late August/early September).
Based on those calls, we organized a webinar-style security briefing on Sept. 30, which allowed us to share our findings with our entire client base.
Finally, once the incident had been remediated and our security posture augmented, we organized about a half-dozen “client executive summits” around the country starting in the middle of December. We are just about to wrap up the final summit next week. Most had around 20 FIs, typically those who needed more detail and interaction.
Audience: Our client champions and users are primarily marketers. They are typically not their organizations’ main authorities on issues of data privacy and information security. It became very clear after just the first couple of meetings with clients that our champions were being asked very tough questions, which they often couldn’t answer, by their internal stakeholders and executives–CIO, CISO, CEO, CFO & Risk.
So, we changed tactics and started requesting that our users bring their C-level and/or InfoSec/Risk to the meetings, which immediately changed the dynamic – the tough questions came to us, not to our users, and our detailed technical responses were received by technical experts, which made for much more productive meetings.
Message: Our message changed as time passed. We initially shared what we knew/didn’t know, gave insight into our credible third-party partners and their process, and committed to providing full transparency. Over time, the message became lighter on root cause and heavier on security augmentation (both actual and roadmap). Now, clients are most interested in learning about new capabilities we are bringing to market.
The CU Daily: What did you hear back from clients during these visits?
Mirchandani: Our clients are amazing. They extended us tremendous patience and grace, despite tremendous pressure on them by their own higher ups. The specific responses ranged widely, depending on their previous personal experience with security response and infrastructure. The more seasoned clients new the importance of detailed, specific information, but understood those answers would take time to reveal themselves. Those with less incident response experience needed additional background education on the reason for incomplete or delayed information.
Across the board, our clients have expressed appreciation for our transparency and proactive communication. More than one client has said something along the lines of “We are not judging you for having been breached. But we are very much watching to see how you conduct yourself during the recovery”.
The CU Daily: Marquis said it is now a “fundamentally different kind of fintech organization.” What does that mean, practically speaking?
Mirchandani: In this age of AI and automation-enabled threats, it’s clear that locking the proverbial doors and windows isn’t enough. As a vendor, it behooves us to ensure that we simply handle as little of our clients’ sensitive information as possible, and for as short a time as possible. To that end, we are now looking at how data flows between us and our clients with an eye for eliminating, masking and/or rapidly deleting sensitive information from our systems as soon as we no longer need it.
As just one example, we have a core capability at Marquis called “householding” that permits very effective targeting and segmentation, but previously required use of the member/consumer’s social security number. Post this incident, we have developed an alternative approach that eliminates that need via tokenization (data masking).
The CU Daily: What architectural/data security changes have you made, and what do you recommend others do?
Mirchandani: We have implemented a range of hardening protection strategies, and would recommend the same for others:
As I’d mentioned earlier, the first step is to avoid having sensitive data on our network in the first place, and if it’s unavoidable then to minimize the interval for which we are holding it. That is accomplished via tokenization/masking.
- Speed up security posture reviews and exception handling. In an AI-enabled threat environment, even short-lived gaps can prove to be very damaging.
- Minimize the potential “blast radius” if an attacker does get in. That is accomplished by systematically creating ever-smaller segments on the network to prevent lateral movement if the network is compromised.
- Invest in an outsourced, AIOps-enabled 24×7 SOC/MDR to decrease MTTR (mean time to response) to detect and evict threat activity.
- Ensure multiple layers of clean backups for a quick and reliable recovery.
- Finally, instituting a formal annual vendor “security requalification” process to identify and minimize third party risk.
The CU Daily: If you could share some advice from this experience with other organizations, what would it be?
Mirchandani: Assume you will be breached, and start running table-top exercises today – that will identify your weak spots and leave you with a prioritized investment roadmap.
Create a shortlist of trusted advisors (privacy counsel, incident response, recovery services, media/PR advisors) to be activated if/when breached. Onboard these advisors before an incident occurs, so they already know your company, stakeholders and priorities and can hit the ground running if a breach occurs.
If/when breached, leadership needs to lean in and be the face of the response/recovery. That visibility is key in building confidence with both employees and clients.
Accept that damage to your enterprise has occurred, and do not try to manipulate facts to minimize that damage. Know that a subset of your customers will react negatively or have a kneejerk reaction, but many will listen to fully understand the situation. That is the constituency you need to prioritize, and whose trust you need to regain. They will reward transparency and punish obfuscation. Once beyond the incident, find a way to reward their patience and trust.
Accept that everything you do will be second-guessed, perhaps in a legal setting. Regardless of that, try to do the right thing for your clients and employees!
The CU Daily: Where do things now stand with Marquis and its clients, and what’s ahead?
Mirchandani: Notifications are winding down and we are back to maximizing growth and profitability for our clients. We have used the lessons from this incident to better streamline our decision-making and operational agility. Having lost some time to the security incident and response, we are now determined to press ahead with a faster pace of innovation, details of which we are sharing with clients in a series of executive summits and meetings.
To readers: thank you for taking the time to read about our experience. I sincerely hope you can take a nugget or two away for your own institution.
