What Happened
Marquis, a fintech company serving financial institutions, suffered a ransomware attack that exposed personal information for at least 672,075 individuals. The attackers bypassed direct client breaches by targeting the vendor, exploiting the trusted business relationship to access customer data.
In parallel, Caribbean Medical Center and NTBHA experienced breaches affecting 92,000 and 285,086 individuals, respectively, with notification letters delayed for months after the initial compromise.
These incidents weren't due to sophisticated zero-day exploits. Attackers exploited open doors: trusted vendor connections, identity platforms, and legitimate software packages.
Timeline
While specific dates for the Marquis incident are unavailable, a consistent pattern emerges across these breaches:
- Initial compromise through a trusted entry point (vendor system, identity platform, or supply chain)
- Attackers move laterally within the environment
- Detection occurs weeks or months later
- Organizations spend additional weeks investigating the scope
- Notification letters are sent to affected individuals
For NTBHA, notification letters were delayed for months, violating regulatory requirements and increasing liability.
Which Controls Failed or Were Missing
Network Segmentation Was Ineffective. Attackers gained lateral movement capabilities through Marquis's systems, accessing sensitive customer data. Your vendor's network architecture effectively became your own.
Third-Party Risk Management Was Inadequate. While agreements like BAAs were signed, there was no verification of Marquis's claimed controls. No one tested their segmentation or required evidence of phishing-resistant MFA for privileged access.
Weak Identity Controls. Reliance on passwords or SMS-based MFA left systems vulnerable. The Okta compromise highlights the risks of single sign-on platforms without hardware-based MFA, allowing attackers to pivot from one compromised credential to full access.
Perimeter-Focused Monitoring. SIEM systems likely logged vendor VPN connections as normal, missing unusual lateral movement, privilege escalation, or data exfiltration patterns due to the assumption that threats originate externally.
Lack of Supply Chain Vulnerability Management. Vulnerabilities like CVE-2026-34841, with a score of 9.8, can exist in dependencies deep within your vendor's stack, exposing you to risks you may not be aware of.
Relevant Standards
PCI DSS v4.0.1 Requirement 1.3.1 mandates managing traffic between trusted and untrusted networks. Vendor connections aren't automatically "trusted"; segmentation is necessary to limit access.
Requirement 12.8.2 requires maintaining a list of third-party service providers and documenting their data access. Requirement 12.8.4 mandates annual monitoring of TPSPs' PCI DSS compliance, requiring evidence of their segmentation controls.
ISO/IEC 27001:2022 Annex A.5.19 requires defining and agreeing on information security requirements with each supplier. Technical requirements, not vendor assurances, are essential.
NIST Cybersecurity Framework v2.0 GV.SC-01 emphasizes the need for established and managed cybersecurity supply chain risk management processes. Your team should have demanded Marquis's network architecture details and data flow information.
NIST 800-53 Rev 5 AC-4 requires controlling information flows based on approved authorizations. When connecting to a vendor, enforce boundaries with technical controls, not trust.
For healthcare organizations, HIPAA Security Rule § 164.308(b)(1) requires contracts with business associates to establish permitted PHI uses. § 164.308(a)(1)(ii)(D) mandates procedures to review information system activity records, including vendor actions with patient data.
Lessons and Action Items for Your Team
Implement Microsegmentation for Vendor Access. Restrict vendor access to isolated segments with explicit allow-lists for necessary systems and data. Use identity-aware proxies to verify user connections.
Require Phishing-Resistant MFA from Vendors. Update vendor agreements to mandate hardware security keys or passkeys for systems interacting with your data. SMS codes and authenticator apps are insufficient.
Build a Vendor Access Inventory. Document every third party with network access, API keys, or data processing rights. Include data access, authentication methods, segmentation controls, and security posture verification dates.
Deploy Deception Technology in Vendor-Accessible Segments. Use honeytokens and decoy systems to detect lateral movement from compromised vendor connections before reaching production data.
Test Vendor Isolation Quarterly. Conduct tabletop exercises assuming a vendor compromise. Assess whether attackers can pivot to core systems or access unauthorized data. If they can, your segmentation needs improvement.
Monitor Supply Chain Vulnerabilities in Vendor Software. Require critical vendors to provide SBOMs for systems processing your data. When high-risk CVEs emerge, you need to know your vendors' exposure quickly.
The Marquis incident demonstrates that your security perimeter extends beyond your immediate environment. It's wherever your data flows, including your vendors' networks. Adapt your defenses accordingly.
