A major legal battle is unfolding after a ransomware incident involving SonicWall has prompted one of its customers to file suit over a firewall vulnerability that allegedly exposed sensitive data.
What Happened?
According to reports, the Akira Ransomware gang targeted SonicWall’s backup server infrastructure, stealing customer-related data during an attack that took place between July and August 2025.
Initially, in mid-September 2025, SonicWall stated that approximately 5% of its customers were affected. However, following a more detailed internal review in October, the company reportedly acknowledged that all its customers using its backup servers were impacted.
SonicWall later attributed the breach to a configuration error in its Firewall APIs dating back to February 2025, which created a vulnerability that was eventually exploited by the attackers.
The Lawsuit
Fintech firm Marquis has filed a lawsuit in a Texas district court against SonicWall, alleging that the company failed to adequately safeguard critical customer information.
According to the complaint, attackers stole personally identifiable information (PII), of over 400,000 of its customers including:
• Dates of birth
• Full names
• Postal addresses
• Debit and credit card information
• Social Security numbers
Marquis claims the breach caused:
• Financial losses
• Operational disruptions
• Reputational damage
• Erosion of customer trust
The firm argues that SonicWall’s failure to secure its firewall APIs directly enabled the breach.
SonicWall’s Response
SonicWall has stated it is still investigating the matter and is currently seeking legal counsel before commenting directly on the lawsuit. The company maintains that the breach resulted from a configuration issue rather than a deliberate failure of its core security architecture.
Broader Implications
This case underscores several important cybersecurity and legal themes:
1. Third-Party Risk Exposure – Even security vendors can become single points of failure.
2. Disclosure Accuracy – Early breach impact estimates can shift significantly after forensic investigations.
3. Data Protection Liability – Companies may face litigation not only from affected individuals but also from business customers.
4. Regulatory Scrutiny – Depending on the data involved, additional compliance and reporting obligations may arise.
If the case proceeds, it could set important precedent regarding vendor liability in cybersecurity incidents — particularly when the affected organization is itself a security provider.
More updates are expected as court filings and investigative findings become public.
Join our LinkedIn group Information Security Community!
