UPDATE
A large fintech company is pinning the blame for its recent data breach on its firewall vendor and suing the vendor for damages. It’s a line that some organizations have toed in recent years, and it carries significant implications for the cybersecurity industry.
The plaintiff, Marquis, provides marketing and compliance solutions to more than 700 banks and credit unions, according to its website. On Aug. 14, a ransomware actor gained access to Marquis’s IT network and client data, including personally identifying information (PII) belonging to customers of some of its clients. Recent news reports have suggested that more than 780,000 people were impacted, though Dark Reading could not independently confirm that figure.
For a while, Marquis wasn’t aware of how hackers were able to get into its systems. Meanwhile, on Sept. 17, its firewall vendor, SonicWall, revealed that it had fallen victim to its own breach. Attackers gained access to SonicWall’s cloud backup service and stole customers’ firewall configuration files, which would have made for easy follow-on attacks against those customers. At the time, the security company claimed that only 5% of its customers were affected. On Oct. 8, though, it admitted that, in fact, all of its customers were impacted.
And Marquis took that personally. In a complaint filed with the US District Court for the Eastern District of Texas on Feb. 23, the company laid the blame for its attack on SonicWall and is now seeking damages.
In response to an inquiry from Dark Reading, Marquis shared a press release claiming that “Not only did SonicWall fail to disclose its compromise promptly, but the company assured Marquis that its firewall protection was not affected for a period of several weeks,” and “because SonicWall failed to timely disclose the full scope and severity of its breach, Marquis was prevented from mitigating the harm that resulted from the SonicWall breach.”
Meanwhile, a SonicWall spokesperson told Dark Reading that “At this time, we have not identified any technical evidence establishing a link between these events. Unfortunately, the customer filed a lawsuit without providing documentation to substantiate its allegations in advance. We are reviewing these claims now and are prepared to vigorously defend any unsubstantiated claims.”
Details aside, the lawsuit raises an important question: Who should bear the blame for a third-party data breach?
“Historically, most breach-related lawsuits have flowed from consumers or regulators toward the breached company, but this case highlights a growing shift: enterprises turning around and suing their cybersecurity vendors, managed service providers, and software suppliers for contribution, indemnification, or outright negligence,” says Bradley partner Erin Jane Illman. “That fundamentally changes the risk calculus for the industry. Vendors are no longer just technical partners — they are potential co-defendants.”
The Precedent for Suing Your Vendor
Though it’s exceedingly rare, relative to how often companies suffer data breaches through third-party vendors, Marquis isn’t the first company to try this course of action.
In 2018, for instance, a breach at email security vendor Barracuda Networks led to a breach of personal health information (PHI) from one of its clients, Zoll Services. Zoll sued Barracuda, but the US District Court for the District of Massachusetts ruled in Barracuda’s favor. Just a few months ago, in November 2025, Zoll’s appeal was also rejected.
There have also been variations on this theme. In 2014, a handful of banks pursued two separate lawsuits not only against Target — for its now infamous point-of-sale (PoS) breach — but also Trustwave, which apparently co-signed Target’s IT security just before the incident occurred. Those cases were withdrawn or otherwise petered out.
Jackson Stephens, senior cybersecurity counsel for Galactic Advisors, points to the MoveIT breach from 2023 sparking a flurry of legal action.
“That breach resulted in dozens of lawsuits, many of which are still pending in court,” he says. “Suits against managed service providers (MSPs) and cybersecurity vendors are becoming more common,” he thinks.
In the case of Marquis and SonicWall, he says, “these cases rarely go to trial — I suspect that the contract requires arbitration or mediation, and like most suits, ending in an undisclosed settlement.” But, he adds, a company like SonicWall could face any number of other legal challenges in the future, like “if SonicWall’s business customers had personal data leaked, those business customers could be sued by a class action of affected individuals. Those business customers will seek to shift the blame onto SonicWall.” Alternatively, SonicWall could be subject to enforcement actions from any number of government authorities.
Legal Risk to Cybersecurity Providers
Bradley’s Illman worries that Marquis might make an attractive example for other breach victims to follow. “This environment creates strategic incentives for executives,” she explains. “Faced with shareholder suits or regulatory scrutiny after a breach, leadership may be more inclined to shift blame downstream — arguing that a vendor’s tool failed, a patch was defective, or a managed service provider missed indicators of compromise.”
She adds, “That doesn’t eliminate executive responsibility, but it does open a new front of cross-claims and indemnity fights behind the scenes.”
The criteria for negligence remains a moving target. “Plaintiffs are probing theories like misrepresentation, failure to warn, negligent design, or overstated security claims to pierce those protections,” says Illman. And beyond that, “courts may begin to scrutinize how ‘reasonable cybersecurity’ is defined for a professional security provider. When a company sells security as its core product, the standard of care it’s held to could be materially higher than that of an ordinary enterprise IT department.”
Of course, there’s another way to look at a case like Marquis v. SonicWall. Organizations choose their vendors, and have the power to shape the terms of those relationships in contracts, and over time.
“It’s not uncommon for companies to engage vendors without doing appropriate due diligence to assess the cybersecurity of their vendors,” says Joseph Lazzarotti, an attorney with JacksonLewis. It’s also common, he notes, to have service level agreements (SLAs) which don’t adequately account for worst-case scenarios, like when the vendor is the cause of an attack.
If organizations are as careless in hiring vendors as they claim vendors are in protecting them, Lazzarotti says, “it could result in claims that the company was negligent in selecting a vendor and or monitoring that vendor, resulting in exposure of the company’s data or that of its consumers.”
This article was updated at 1:20 ET on Feb. 27, with statements from both Marquis and SonicWall.
Source: www.darkreading.com…