TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources СLOUD SECURITY CYBER RISK CYBERATTACKS & DATA BREACHES CYBERSECURITY OPERATIONS NEWS Marquis v. SonicWall Lawsuit Ups the Breach Blame Game When a company gets breached through a third-party security vendor, who should bear responsibility? For one FinTech company, the answer is the firewall provider. Nate Nelson,Contributing Writer February 26, 2026 5 Min Read SOURCE: PAUL HILL VIA ALAMY STOCK PHOTO A large fintech company is pinning the blame for its recent data breach on its firewall vendor and suing the vendor for damages. It's a line that some organizations have toed in recent years, and it carries significant implications for the cybersecurity industry. The plaintiff, Marquis, provides marketing and compliance solutions to more than 700 banks and credit unions, according to its website. On Aug. 14, a ransomware actor gained access to Marquis's IT network and client data, including personally identifying information (PII) belonging to customers of some of its clients. Recent news reports have suggested that more than 780,000 people were impacted, though Dark Reading could not independently confirm that figure. For a while, Marquis wasn't aware of how hackers were able to get into its systems. Meanwhile, on Sept. 17, its firewall vendor, SonicWall, revealed that it had fallen victim to its own breach. Attackers gained access to SonicWall customers' firewall configuration backup files, which would have made for easy follow-on attacks against those customers. At the time, the security company claimed that only 5% of its customers were affected. On Oct. 8, though, it admitted that, in fact, all of its customers were impacted. Related:AI Agents 'Swarm,' Security Complexity Follows Suit And Marquis took that personally. In a complaint filed with the US District Court for the Eastern District of Texas on Feb. 23, the company laid the blame for its attack on SonicWall and is now seeking damages. It raises the question: Who should bear the blame for a third-party data breach? "Historically, most breach-related lawsuits have flowed from consumers or regulators toward the breached company, but this case highlights a growing shift: enterprises turning around and suing their cybersecurity vendors, managed service providers, and software suppliers for contribution, indemnification, or outright negligence," says Bradley partner Erin Jane Illman. "That fundamentally changes the risk calculus for the industry. Vendors are no longer just technical partners — they are potential co-defendants." The Precedent for Suing Your Vendor Though it's exceedingly rare, relative to how often companies suffer data breaches through third-party vendors, Marquis isn't the first company to try this course of action. In 2018, for instance, a breach at email security vendor Barracuda Networks led to a breach of personal health information (PHI) from one of its clients, Zoll Services. Zoll sued Barracuda, but the US District Court for the District of Massachusetts ruled in Barracuda's favor. Just a few months ago, in November 2025, Zoll's appeal was also rejected. Related:TeamPCP Turns Cloud Infrastructure Into Crime Bots There have also been variations on this theme. In 2014, a handful of banks pursued two separate lawsuits not only against Target — for its now infamous point-of-sale (PoS) breach — but also Trustwave, which apparently co-signed Target's IT security just before the incident occurred. Those cases were withdrawn or otherwise petered out. Jackson Stephens, senior cybersecurity counsel for Galactic Advisors, points to the MoveIT breach from 2023 sparking a flurry of legal action. "That breach resulted in dozens of lawsuits, many of which are still pending in court," he says. "Suits against managed service providers (MSPs) and cybersecurity vendors are becoming more common," he thinks. In the case of Marquis and SonicWall, he says, "these cases rarely go to trial — I suspect that the contract requires arbitration or mediation, and like most suits, ending in an undisclosed settlement." But, he adds, a company like SonicWall could face any number of other legal challenges in the future, like "if SonicWall's business customers had personal data leaked, those business customers could be sued by a class action of affected individuals. Those business customers will seek to shift the blame onto SonicWall." Alternatively, SonicWall could be subject to enforcement actions from any number of government authorities. Related:'Encrypt It Already' Campaign Pushes Big Tech to Prioritize E2E Encryption Legal Risk to Cybersecurity Providers Bradley's Illman worries that Marquis might make an attractive example for other breach victims to follow. "This environment creates strategic incentives for executives," she explains. "Faced with shareholder suits or regulatory scrutiny after a breach, leadership may be more inclined to shift blame downstream — arguing that a vendor's tool failed, a patch was defective, or a managed service provider missed indicators of compromise." She adds, "That doesn’t eliminate executive responsibility, but it does open a new front of cross-claims and indemnity fights behind the scenes." The criteria for negligence remains a moving target. "Plaintiffs are probing theories like misrepresentation, failure to warn, negligent design, or overstated security claims to pierce those protections," says Illman. And beyond that, "courts may begin to scrutinize how 'reasonable cybersecurity' is defined for a professional security provider. When a company sells security as its core product, the standard of care it's held to could be materially higher than that of an ordinary enterprise IT department." Of course, there's another way to look at a case like Marquis v. SonicWall. Organizations choose their vendors, and have the power to shape the terms of those relationships in contracts, and over time. "It's not uncommon for companies to engage vendors without doing appropriate due diligence to assess the cybersecurity of their vendors," says Joseph Lazzarotti, an attorney with JacksonLewis. It's also common, he notes, to have service level agreements (SLAs) which don't adequately account for worst-case scenarios, like when the vendor is the cause of an attack. If organizations are as careless in hiring vendors as they claim vendors are in protecting them, Lazzarotti says, "it could result in claims that the company was negligent in selecting a vendor and or monitoring that vendor, resulting in exposure of the company's data or that of its consumers." Neither Marquis nor SonicWall immediately returned a request for comment from Dark Reading. About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Agentic AI Use Cases for Security Soar, but Risks Demand Close Attention by Arielle Waldman AUG 14, 2025 СLOUD SECURITY CISA Weighs In on Alleged Oracle Cloud Breach by Kristina Beek, Associate Editor, Dark Reading APR 18, 2025 СLOUD SECURITY Hundreds of MCP Servers Expose AI Models to Abuse, RCE by Nate Nelson, Contributing Writer JUN 25, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Archi