Ransomware cases highlight ongoing security pressure in financial services

Three federal lawsuits filed in recent months describe how attackers allegedly accessed customer data held by two financial institutions and one non-bank lender, outlining a set of security and notification issues now common across the sector. The cases, Boutot v. Norway Savings Bank, Spohrleder v. CoVantage Credit Union, and Maggio v. Byzfunder NY LLC, focus on ransomware activity at a shared vendor, a direct system compromise, and the handling of customer information during and after the attacks.

The lawsuits are in early stages, but the complaints and notice letters provide a detailed look at how threat actors allegedly gained access to data and how institutions responded.

Ransomware litigation is reshaping financial services risk

“Financial institutions operate under some of the most rigorous regulatory cybersecurity expectations in the economy, and the strongest defense in these cases is demonstrating that the bank or credit union followed those layered regulatory requirements in real time through vendor-risk management, encryption of customer data, continuous monitoring, and documented incident-response protocols.” said Jacey Kaps, a cybersecurity litigator with RumbergerKirk.  

“These cases frequently stem from third-party service providers rather than failures of a bank’s core systems, and courts increasingly focus on whether the institution exercised reasonable due diligence in selecting, auditing, and contractually restricting those vendors. When a financial institution can show proactive regulatory compliance, rapid investigation, and timely notice, that framework remains one of the most powerful ways to defend against negligence-based data breach claims.”

Vendor breach affects multiple institutions

Two of the cases, Boutot and Spohrleder, stem from a breach at Marquis Software Solutions, a data and marketing services provider used by hundreds of banks and credit unions. According to the complaint in the Norway Savings Bank case, Marquis notified the bank on Aug. 14, 2025, that an “external actor” had accessed portions of its data environment. The bank told customers in a mailed notice that its own internal systems were not involved but that Marquis stored customer information on its behalf.

The complaint in the Norway case states that Marquis paid a ransom after detecting the attack. It also alleges that stolen data later appeared on criminal marketplaces, suggesting the incident extended beyond the initial containment efforts described by the vendor.

The CoVantage complaint reports a similar timeline. It states that the credit union was also told on Aug. 14 that Marquis had experienced unauthorized activity and was beginning a forensic investigation to determine what information was accessed.

The data exposed allegedly included names, addresses, dates of birth, Social Security numbers, and financial account information. Norway listed those data types in the notice letter it sent to affected customers. CoVantage’s complaint reports a comparable set of exposed fields.

Notification timelines examined

Norway’s notice letter states that Marquis completed its investigation on Oct. 27, 2025, and that customer notifications were mailed on Nov. 21. The Spohrleder filing says CoVantage mailed notices on Nov. 26.

Both complaints argue that customers should have been informed sooner. The filings also point to the reliance on Marquis for forensic results, a dependency that affected the institutions’ timing.

Lending platform reports a separate system intrusion

The third case involves a different type of organization. In Maggio v. Byzfunder NY LLC, the complaint alleges that a threat actor gained access to Byzfunder’s internal systems rather than a vendor environment.

According to the complaint, Byzfunder discovered suspicious activity on Sept. 19, 2025, and later determined that an unauthorized party had accessed its systems between Sept. 1 and Sept. 20. The notice letter sent to affected individuals says files containing names and Social Security numbers were among those accessed.

Because the breach occurred in Byzfunder’s own environment, the complaint focuses on internal controls. It alleges that sensitive information was not encrypted, monitoring was inadequate, and notification letters did not fully describe what systems were affected or whether the incident had been contained.

Common patterns across the filings

Taken together, the three complaints highlight several issues facing financial services security teams.

Vendor concentration risk

Marquis appears in two of the cases as the entry point for attackers. The Norway complaint identifies Marquis as the third-party service provider storing customer information, while the CoVantage filing describes it as the credit union’s vendor for marketing and compliance functions. The shared reliance on a single provider widened the impact of the breach.

Exposure of identity-grade financial data

All three cases involve data useful in identity theft. The Norway and CoVantage filings describe exposure of full customer identity records, including Social Security numbers and account details. Byzfunder reported exposure of names and Social Security numbers. The Norway complaint cites publicly available research indicating that such data is routinely traded on criminal marketplaces.

Regulatory guidance as a litigation benchmark

The complaints reference federal cybersecurity publications as indicators of expected security measures. The Norway filing cites FBI and Secret Service ransomware-prevention guidance and Microsoft threat intelligence materials. Several filings also reference the Federal Trade Commission’s Protecting Personal Information guidance. While the documents are advisory, the complaints treat them as evidence of baseline expectations.

Notification clarity and timing challenges

All three lawsuits challenge the timing or clarity of customer notifications. The Norway and CoVantage filings target the timeline between discovery and notification. The Byzfunder complaint argues that the company’s notice did not provide sufficient detail for customers to assess their risk.

Claims of ongoing consumer harm

Each complaint states that customers spent time monitoring accounts, updating credentials, and responding to potential fraud. They also assert that customers experienced stress and inconvenience and lost control over their personal information. These types of claims are now common in data-breach litigation and often survive early procedural challenges.

What these cases mean for financial-sector security teams

Implications for financial-sector security teams

The filings illustrate how data breaches in financial services are being evaluated in court records. Vendor environments remain a high-value target for attackers, especially when those vendors store identity data on behalf of multiple institutions. Direct compromises, such as the one reported by Byzfunder, continue to draw scrutiny of internal access controls, monitoring, and encryption practices.

The lawsuits also show that notification practices are receiving closer attention. Institutions that depend on third parties for forensic results may face timing challenges that are later questioned in litigation.

Checklist for ThreatLocker customers  

Although this particular breach was via a third party, the risks of data compromise on your own systems are the same.

Storage Control

Leverage Storage Control policies to limit who, and what, can access files, folders, storage devices, and network shares down to the most granular conditions. Expiration limits on policies ensure access is automatically revoked. Remember that without controls, applications launched have the same privilege over your data as you do.  

Does your web browser need access to your financial network share? Does that browser extension require access to your sensitive HR documents? A common source of data leaks is via external storage. Should sensitive data be allowed to be written to USB storage? If so, what if that device is misplaced? Look at enforcing encryption on external storage.

Allowlisting & Ringfencing^™

Use Allowlisting policies to block all application and process executables by default and apply Ringfencing to those that have been approved and explicitly allowed. This is especially valuable for preventing data exfiltration and protecting against Living Off the Land attacks.  

If you use OneDrive, do you need to permit Dropbox or Google Workspace? If you use backup software X to back up your data, do you need to permit backup software Y? Every Windows machine has Powershell. Does Powershell need to see all of your data? Does Powershell need unlimited internet access?

It is common for legitimate apps to be used for malicious exfiltration, and detection alone will not prevent “good” software from being used against you.

Elevation Control

Enforce Elevation Control to achieve Just-in-Time access against every attempt made to run an application as an administrator. Instantly approve or deny every incoming elevation request, per application. Do not compromise and elevate an entire user session. Elevate only those applications that explicitly require it.

Data security

Prevent configuration creep from outdating your hardened local security settings with Config Manager. Settings will be automatically maintained without administrative intervention on any endpoint with ThreatLocker installed. Group Policy type rules, without the need for regular access to a domain controller. Ideal for those remote users.

Achieve network segmentation with the dynamic ACLs of Network Control. Logical access boundaries can be defined along the same lines as your ThreatLocker computer groups and organizations.

Vulnerability and Patch Management

Highlight insecure or misconfigured security settings with Defense Against Configurations (DAC). Included health report metrics are displayed alongside a checklist of how to bring each security finding back into compliance, and against which relevant security framework.

Patch Management does exactly as the name implies: manages and applies software patches without requiring a separate, dedicated solution. Patches are tested and maintained by ThreatLocker, ensuring they’re safe to automatically apply.

Incident response

Use Detect policies as a fully functional endpoint detection and response (EDR) solution to automatically alert, monitor, and act against suspicious endpoint behavior against dozens of configurable conditions. Extend those policies into M365 tenants with integration built right into the ThreatLocker web portal.

When specifically looking at data exfiltration, a common indicator of compromise is a web browser reading an excessive number of files. Define a limit and take action automatically. For example, if a browser reads more than 50 files in one hour, this could indicate data being uploaded to the cloud. When this limit is reached, automatically enforce Ringfencing to stop this activity and immediately block all administrative tools.

Finally, take confidence in the centralized logging of the Unified Audit to investigate anomalies such as unapproved software executions. Generate regular review reports for auditing and compliance evidence.  

Executive-level readiness checklist for CISOs

Have a defined incident response plan that includes what to do in the event of a third-party breach that impacts your organization, and/or your customers. Make sure this includes how, and when to inform them.  

• If possible, review vendor compliance documents to get an understanding of where data is stored and if third parties are involved  
• Securely share sensitive data, and only share what is needed  
• Regularly audit access control lists for both internal resources and third party / cloud services

Frequent asked questions  

Why are vendors frequently involved in financial services ransomware cases?
Financial institutions rely heavily on third-party vendors for marketing, compliance, and data processing. When those vendors store sensitive customer data, a single breach can affect hundreds of institutions at once, increasing legal exposure.

What customer data is most likely to drive litigation after a ransomware attack?
Data such as Social Security numbers, financial account details, dates of birth, and full identity records is most likely to lead to lawsuits because it creates long-term identity theft and fraud risk.

How do notification delays affect ransomware lawsuits?
Courts examine how long institutions took to notify customers after discovering a breach. Delays caused by extended forensic investigations or vendor dependencies are often challenged as unreasonable.

Why does encryption matter in ransomware litigation?
If sensitive data is encrypted at rest and in transit, plaintiffs have a harder time proving that exposed data was usable by attackers, which can significantly weaken negligence claims.

How do courts evaluate vendor risk management after a breach?
Courts look for evidence that financial institutions conducted due diligence, imposed contractual security requirements, monitored vendors, and responded promptly once a vendor breach was identified.

What controls help reduce ransomware liability in financial services?
Controls such as application allowlisting, least-privilege access, encryption, continuous monitoring, and documented incident-response plans help institutions demonstrate reasonable security practices.