Two U.S. banks have come forward to warn customers they were impacted by an August ransomware attack on a popular financial software company.

Artisans' Bank and VeraBank informed regulators in Maine last week that recent data breaches were sourced back to a cyberattack on Marquis Software. The software company previously said it suffered a ransomware attack around August 14 that affected dozens of its corporate customers and thousands of downstream users. 

VeraBank explained in letters to victims that Marquis Software is their “customer communication and data analysis vendor.”

“They had access to your data to communicate relevant and necessary updates with you and also to analyze what bank products and services may best fit your needs,” the Texas-based bank said. “We only provided Marquis with access to your data after they had contractually agreed to secure and protect the same.”

In total, 37,318 people had information stolen but the letters omit what information was taken. 

Delaware-based Artisans' Bank said it was notified of the incident by Marquis Software in October and discovered that the names and Social Security numbers of 32,344 people were leaked as a result of the cyberattack. 

Both banks stressed the hackers never breached their own systems and only stole information “maintained by Marquis Software.”

VeraBank and Artisans' Bank are the latest financial institutions to come forward as downstream victims of the attack of Marquis Software, which provides data analytics, compliance solutions and digital marketing tools to hundreds of credit unions and banks across the U.S.

In its own notices about the incident, Marquis Software said it notified federal law enforcement about the incident after discovering the attack in August. 

An investigation traced the intrusion back to a vulnerability in its SonicWall firewall device. The company said the personal information stolen included names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, financial account information without security or access codes, and dates of birth.

Between October 27 and November 25, Marquis Software notified at least 74 banks, credit unions and financial institutions that their information was involved in the data breach. In addition to filing its own notices with regulators in Maine, South Carolina, Washington, Iowa and others, it provided breach notifications on behalf of several financial institutions.

Marquis Software did not respond to requests for comment about whether the number of financial institutions impacted has increased since then or how many total victims were affected. 

By compiling victim counts from multiple state breach registries, several law firms and cybersecurity researchers said the number of victims is likely between 788,000 and 1.35 million. 

Cybersecurity firm Comparitech also obtained a since-deleted breach notification letter from Iowa-based Community 1st Credit Union that claimed Marquis Software paid a ransom to the group behind the attack. 

The company did not respond to requests for comment about payment. No ransomware gang ever took public credit for the attack.