One story. Gone deep.

In August, a ransomware gang breached Marquis Software Solutions — a fintech serving 700+ banks and credit unions. They stole SSNs, financial data, and personal information for 823,000 consumers across 80 institutions.

Marquis didn't get popped through their own mistake.

Earlier in 2025, SonicWall suffered a breach of their cloud backup service. Marquis stored their firewall configs there. SonicWall initially claimed fewer than 5% of customers were affected. They later revised that to everyone.

Attackers used credentials from SonicWall's breach to walk through Marquis's firewall. They bypassed MFA with pre-patch credentials. Marquis paid a ransom. Now they're suing SonicWall.

This is a three-layer trust failure:

Bank → Marquis → SonicWall → SonicWall's cloud

Every layer assumed the one beneath was secure. Every vendor answered questionnaires correctly. Every contract had indemnification clauses. None of it mattered — the credentials were already in attackers' hands.

Your vendor risk program probably stops at layer one. You vet your vendors. Maybe you ask about their vendors. But when your firewall vendor hosts your configs in their cloud, and that cloud gets breached, you're exposed through a path you never mapped.

Patching wasn't enough. MFA wasn't enough. The mitigation was clear — rotate credentials after patching. Most didn't. Akira ransomware knew that.

The lesson isn't "vet harder." Vendor risk isn't a checklist — it's a system. Systems fail in ways checklists don't anticipate.

Eighty banks are now explaining to customers why their SSNs are in the wind. Somewhere, a security leader is wondering how deep their own vendor trust actually goes.

Sources: TechCrunch, The Record, American Banker

What else matters this week.

ShinyHunters Goes Voice — The data theft group pivoted to vishing, targeting SSO providers at 100+ companies. Panera (14M records), Match Group, and Bumble confirmed hit. When attackers call your help desk as "employees," MFA doesn't help. via Cyberscoop

Phishing From Real Microsoft Emails — Attackers abuse Power BI subscriptions to send scams from legitimate Microsoft addresses, bypassing every filter. No malicious links — the scam happens via phone callback. via Ars Technica

Cisco UCM Zero-Day in the Wild — CVE-2026-20045, critical RCE in Unified Communications Manager (CVSS 8.2), now on CISA's KEV list. Patch available. If you run UCM, this is your weekend. via CISA KEV

"Less Regulation" Era Begins — New National Cyber Director signals pivot from mandatory frameworks to voluntary partnerships. Ironic timing: major telecoms are blocking congressional investigators from understanding Salt Typhoon's scope. Voluntary only works when everyone volunteers. via Cyberscoop

Not every signal needs action.

"82% of Hackers Now Use AI" — Bugcrowd's headline stat is making rounds. The reality: researchers use ChatGPT to write reports and brainstorm — not deploy autonomous exploit bots. The actual finding buried in the report? 65% have not reported a valid bug because there was no disclosure pathway. That's the story.

No answer. Just the question.

How many layers deep does your vendor trust go before you lose visibility — and is that number lower than your attackers'?

Michael Faas is a fractional CTO/CISO helping growth-stage companies navigate complexity without building bloated security programs. More at echocyber.io.