Data Breaches Ransomware: Marquis & Navia Incidents Highlight Third-Party Risk

The digital economy, for all its unparalleled efficiency and interconnectedness, harbors an increasingly sophisticated and insidious threat: the weaponization of supply chain vulnerabilities by ransomware syndicates. March 2026 cast a stark light on this precarious reality with two monumental data breaches at fintech firm Marquis and employee benefits administrator Navia. These incidents, affecting millions of individuals and exposing highly sensitive personal and financial data, underscore that the battleground for cybersecurity has decisively shifted. Attackers are no longer merely targeting endpoints; they are systematically compromising the control planes and trusted third-party services that form the bedrock of our digital infrastructure.

The Marquis Breach: A Cascading Ransomware Nightmare for Financial Services

The Marquis data breach, disclosed in March 2026 but originating from an August 2025 ransomware attack, serves as a chilling testament to the systemic exposure introduced by third-party vendors in the financial sector. Marquis, a Texas-based provider of marketing and compliance solutions, found itself at the nexus of a cybersecurity crisis that rippled across more than 74 banks and credit unions, ultimately impacting approximately 672,000 individuals.

Technical Dissection of the Attack

The initial vector for the Marquis breach was a ransomware attack that exploited a vulnerability within the company’s SonicWall firewall system. However, the technical details reveal a more complex and concerning chain of events, highlighting a severe supply chain vulnerability. Investigations indicated that the attackers did not breach Marquis’s systems through a zero-day or unpatched firewall flaw directly, but rather by utilizing sensitive information obtained from firewall configuration backup files.

These critical configuration files, which contained detailed blueprints of Marquis’s security environment, including exposed credentials and unencrypted multi-factor authentication (MFA) scratch codes, were allegedly stolen months prior during a separate, unauthorized intrusion into SonicWall’s “MySonicWall” online customer portal in February 2025. By possessing these legitimate emergency bypass tools, the threat actors were able to seamlessly circumvent Marquis’s multi-factor authentication protocols, gaining an open door for network reconnaissance and massive data exfiltration.

The stolen data was a treasure trove for identity thieves, encompassing:

• Full names and addresses
• Dates of birth
• Social Security numbers (SSNs)
• Taxpayer Identification Numbers
• Financial account information, including payment card numbers and bank account numbers

Such comprehensive financial identity data is precisely the kind that enables long-term account takeover, fraudulent loans, and tax refund theft, posing significant and lasting risks to affected individuals. While no cybercrime group has officially claimed responsibility, security researchers widely speculate the Akira ransomware group was behind the attack, given their known campaigns targeting SonicWall devices. Adding another layer of complexity, an Iowa credit union’s now-removed breach notice suggested Marquis paid a ransom, a claim the fintech firm has yet to confirm. Marquis has since filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation.

The Navia Breach: API Vulnerabilities Expose Millions

Separately, but no less impactful, Navia, a Washington-based provider of employee benefits administration services, disclosed a data breach affecting nearly 2.7 million individuals. The incident, discovered on January 23, 2026, revealed that unauthorized access to Navia’s systems occurred between December 22, 2025, and January 15, 2026. Individual notification letters began to be mailed to affected individuals on March 18, 2026.

The Role of API Exploitation

Unlike the Marquis incident, the Navia breach was attributed to the exploitation of a vulnerability in an Application Programming Interface (API) used by the organization. Specifically, a “Broken Object Level Authorization” flaw was identified as the likely entry point. This allowed an unauthorized third party to obtain read-only access to participant data, enabling data exfiltration without directly altering systems or moving funds, thus delaying immediate detection. There was no evidence of system-wide encryption or ransomware involvement in this particular incident.

The extensive personal data compromised in the Navia breach included:

• Full names and dates of birth
• Social Security numbers
• Phone numbers and email addresses
• Navia ID numbers and employee IDs
• Health plan information, including participation in Health Reimbursement Arrangements (HRAs), Flexible Spending Accounts (FSAs), and COBRA enrollment

Navia confirmed that direct financial account numbers, payment card information, and actual claims data were not exposed. However, the presence of Social Security numbers and detailed health plan information still poses a significant risk for targeted phishing, social engineering campaigns, and various forms of identity fraud. In response, Navia has implemented additional security measures, including strengthening API authorization, enabling multi-factor authentication, tightening data access controls, and initiating a policy of deleting unused data for inactive accounts. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The Evolving Landscape: Ransomware and Third-Party Risk in 2026

These incidents at Marquis and Navia are not isolated events but symptomatic of a broader, more aggressive cyber threat landscape. In 2026, ransomware remains a top cybersecurity threat, particularly for financial institutions. Surveys indicate that 65% of financial organizations were hit by ransomware in 2024, a slight increase from the previous year. Fintech companies, with their access to sensitive customer data and critical financial operations, are uniquely vulnerable.

The Pervasive Threat of Supply Chain Attacks

The common thread weaving through these breaches is the exploitation of supply chain and third-party vulnerabilities. Over the past five years, major supply chain and third-party breaches have quadrupled, fundamentally expanding attackers’ reach. IBM’s X-Force Threat Intelligence Index 2026 highlights a significant shift in adversary behavior: rather than a direct frontal assault on a well-defended organization, attackers are increasingly targeting interconnected systems and trusted integrations, such as vendors, open-source dependencies, and APIs. More than 60% of data breaches now involve third-party vendors, making them a primary entry point for cybercriminals. This trend is exacerbated by a “Confidence Paradox,” where 90% of leaders are confident their business could continue operations during a vendor breach, yet 86% express deep concern about supply chain risks. Furthermore, a staggering 78% of organizations admit their internal cybersecurity programs cover less than 50% of their total vendor ecosystem, leaving significant blind spots.

Targeting the Digital Control Plane

Both the Marquis and Navia breaches exemplify how attackers are increasingly targeting the “control planes” of the digital economy. For Marquis, it was the compromise of firewall configuration backups and MFA bypass codes through a third-party vendor’s portal. For Navia, it was an API vulnerability that granted unauthorized read-only access to millions of sensitive records. These are not merely endpoint compromises; they are attacks on the very mechanisms that manage and secure digital access and operations, offering broad systemic exposure.

Regulatory Imperatives and Escalating Consequences

The ramifications of such breaches are severe, extending beyond immediate financial losses to long-term reputational damage and mounting regulatory pressure. The average cost of a data breach in the US surged to $10.22 million in 2025. Beyond the direct costs, individuals face profound risks, including identity theft, fraudulent financial activity, and targeted social engineering attacks.

The regulatory landscape is also evolving rapidly. Effective January 1, 2026, California’s SB 446 mandates businesses to notify affected residents within 30 calendar days of discovering a data breach and the Attorney General within 15 calendar days of consumer notification. This compressed timeline demands robust incident response capabilities and comprehensive data mapping to quickly identify affected individuals and data types. While HIPAA allows 60 days for healthcare organizations and the SEC requires public companies to disclose material breaches within four business days, the trend is towards stricter, more immediate reporting across all sectors.

Fortifying Defenses: Strategies for a Resilient Future

In this interconnected threat environment, organizations must adopt a holistic and proactive approach to mitigate the risks of data breaches ransomware and third-party vulnerabilities. The following best practices are paramount:

Comprehensive Third-Party Risk Management (TPRM)

TPRM must evolve from a mere compliance checklist to a continuous, intelligence-driven process.

1. Pre-Engagement Due Diligence: Thoroughly vet all vendors before onboarding, including reviewing security certifications (e.g., ISO 27001, SOC 2), penetration test results, incident history, and risk ratings.
2. Continuous Monitoring: Move beyond static, point-in-time assessments to real-time, automated monitoring of critical suppliers. This continuous visibility helps detect emerging threats before they escalate.
3. Contractual Clarity: Ensure robust contractual agreements that clearly define security expectations, incident response protocols, and accountability for data protection.
4. Automated Assessments: Leverage AI and automation for risk assessments to scale efforts across a growing vendor ecosystem, addressing the “Glaring Blind Spots” identified in recent reports.

Strengthening Access Controls and Authentication

Robust identity and access management are non-negotiable, especially for third-party access.

• Principle of Least Privilege (PoLP): Grant third-party users and internal employees access strictly on a “need-to-know” and “just-in-time” basis, limiting permissions only to systems and data essential for their roles.
• Multi-Factor Authentication (MFA): Mandate MFA for all access, particularly for third-party and privileged accounts. This adds a crucial layer of security, significantly hindering unauthorized access even if credentials are compromised.
• Zero Trust Architecture: Adopt a Zero Trust security framework, assuming no entity (internal or external) can be trusted by default. Every request to access systems should be thoroughly authenticated, authorized, and encrypted.
• Secure Remote Access: Implement secure remote access solutions with session isolation, monitoring, and robust logging capabilities, moving away from less secure methods like traditional VPNs for third-party access.

Proactive Cybersecurity Hygiene and Incident Response

A strong internal security posture is the first line of defense, even against supply chain attacks.

• Regular Patching and Updates: Keep all systems, software, and firewalls updated to the latest versions to patch known vulnerabilities promptly.
• Network Segmentation: Divide networks into isolated segments to contain the lateral movement of ransomware and limit the blast radius of a breach.
• API Security: Implement rigorous controls on all third-party integrations and APIs, including regular auditing for vulnerabilities like Broken Object Level Authorization flaws.
• Data Minimization and Deletion: Adopt policies for deleting unused data and retaining only what is strictly necessary, reducing the volume of sensitive information exposed in a breach.
• Robust Backup and Recovery: Maintain frequent, isolated, and encrypted backups of critical data, ensuring they are disconnected from the network to prevent ransomware encryption.
• Employee Education: Continuously train employees on ransomware threats, phishing identification, strong password practices, and reporting suspicious activity.
• Comprehensive Incident Response Plan: Develop and regularly test a detailed incident response plan for both direct attacks and third-party compromises, establishing clear escalation protocols to ensure rapid response and minimize remediation lag.

Conclusion

The data breaches at Marquis and Navia in March 2026 serve as an unequivocal wake-up call for organizations globally. They are stark reminders that in an era of hyper-connectivity, an organization’s security perimeter extends far beyond its own walls, encompassing every third-party vendor, software provider, and API integration. The rising tide of data breaches ransomware, coupled with the increasing sophistication of supply chain attacks targeting digital control planes, necessitates a fundamental re-evaluation of cybersecurity strategies.

Moving forward, businesses must treat third-party risk management not as an afterthought but as a central pillar of their overall security posture. This requires continuous vigilance, the adoption of advanced security technologies like AI-driven risk assessments, and an unwavering commitment to best practices in access control, authentication, and incident response. Only by proactively addressing these systemic vulnerabilities can industries protect sensitive data, maintain operational resilience, and safeguard the trust of millions of individuals in our increasingly interconnected digital world.