A legal dispute is intensifying in Texas as fintech firm Marquis sues its firewall provider, SonicWall, alleging that security failures within the company’s cloud backup service directly contributed to a far-reaching ransomware attack.
The lawsuit, filed Monday in the U.S. District Court for the Eastern District of Texas, seeks a jury trial. Marquis claims that a 2025 breach at SonicWall “exposed critical security information for Marquis and every customer that used SonicWall’s firewall cloud backup service.”
According to the complaint, hackers gained access to sensitive firewall configuration backup files, which were later used to infiltrate Marquis’ internal systems.
The Alleged Bypass Through SonicWall
Firewalls are designed to block unauthorized access to internal networks. However, Marquis contends that attackers exploited data stolen from SonicWall’s cloud backup service to understand precisely how customers configured their firewalls. That insight allegedly gave them a blueprint for breaching defenses.
Among the information reportedly taken were emergency access credentials known as scratch codes. According to the complaint, these codes were intended for urgent administrative access and were used by attackers to bypass safeguards and enter Marquis’ network.
“SonicWall allowed a threat actor to obtain the keys to bypass that line of defense and walk right into Marquis’s internal network, the very thing that SonicWall’s firewall was supposed to prevent,” the lawsuit states.
Once inside, hackers allegedly deployed a ransomware attack that disrupted operations and extracted sensitive information. Marquis, which provides data visualization tools to hundreds of banks and credit unions, reported that the attackers accessed “personally identifiable information concerning customers of some of Marquis’s financial institution clients.”
The stolen data includes names, dates of birth, postal addresses, and financial details such as bank account numbers, debit and credit card numbers. Social Security numbers were also compromised in the cyberattack.
Scope of the Data Breach
SonicWall first disclosed a breach in mid-September 2025, initially stating that fewer than 5% of customer firewall configuration backup files had been exfiltrated from storage servers hosted on Amazon’s cloud and maintained by SonicWall. However, in October, the company revised its statement, acknowledging that every customer had their firewall backup files stolen in the incident.
Marquis began notifying affected individuals in December 2025 that its network had been breached in August of that year. SonicWall has not disclosed when the attackers first gained access to its systems, leaving uncertainty about how long the vulnerability may have existed.
In its complaint, Marquis alleges that a code change made in February 2025 to one of SonicWall’s APIs “created a vulnerability exploitable by threat actors.” According to the lawsuit, this flaw allowed hackers to access customer firewall configuration backup files “without proper authentication” by guessing predictable firewall serial numbers.
Marquis has not confirmed the total number of people affected. However, a listing with the Texas attorney general indicates that at least 400,000 individuals across the United States have been impacted. That figure is expected to increase as additional data breach notifications are filed with attorneys general in other states.
The lawsuit now places SonicWall’s security practices for its cloud backup service under scrutiny. A jury in the Eastern District of Texas will ultimately determine whether the alleged vulnerabilities and subsequent ransomware attack stemmed from failures in SonicWall’s security controls, as Marquis claims.
