- Key insight: Supply chain vulnerabilities emerged as the primary vector for banking breaches in 2025, often bypassing direct institutional defenses.
- Supporting data: 700Credit’s API breach exposed data for 5.8 million consumers, while the TransUnion breach affected approximately 4.5 million individuals.
- What’s at stake: Ransomware attacks like the one on Marquis Software Solutions can cascade, impacting hundreds of community banks via a single vendor.
Overview bullets generated by AI with editorial review
Processing Content
Third-party vendor vulnerabilities and sophisticated social engineering campaigns defined the cybersecurity landscape for financial institutions in 2025.
From specialized software providers to major credit bureaus, attackers frequently bypassed internal bank defenses by targeting the supply chain.
Although any data breach can affect banks, which must defend against fraudsters exploiting stolen identity data, this article lists the largest data breaches that directly affected the banking and financial services industry in 2025.
1. Prosper Marketplace
Within the financial services industry, the largest breach of the year affected peer-to-peer lender Prosper Marketplace.
In September, shortly after Prosper discovered the breach, class action attorneys began courting potentially affected customers to be litigants. At the time, media outlets reported more than 10 million customers had been affected, but Prosper said at the time its investigation into the exact number was ongoing.
On Nov. 26, the company completed its investigation. In the end, the company found 13.1 million individuals were affected, a spokesperson told American Banker. The company began sending notifications to affected customers on Dec. 9.
- Number of individuals affected: 13.1 million records, according to a spokesperson for Prosper
- When the breach happened: From June to August
- When Prosper discovered the breach: Sept. 1
- When the breach was reported: Prosper began notifying affected customers on Dec. 9.
- Root cause: Data containing personal information was obtained through queries on company databases.
- Threat actor: Attributed to threat actor Hiron by Have I Been Pwned, a service that collects breached data to help individuals determine whether their identity information has been compromised. The threat actor does not appear to have a history of any other, major data breaches.
- Company statement: “There was no evidence of unauthorized access to customer accounts and funds, and our customer-facing operations continue uninterrupted,” a Prosper spokesperson said. “Additionally, we continuously monitor accounts, which have strong safeguards in place to protect your fund.”
2. 700Credit
- Number of individuals affected: Approximately 5.8 million
- When the breach happened: Between Oct. 25 and Oct. 27, though attackers had access to a partner’s system as early as July
- When 700Credit discovered the breach: Oct. 25
- When the breach was reported: 700Credit began notifying dealers on Nov. 21.
- Root cause: Attackers exploited a vulnerability in an application programming interface, or API, belonging to 700Credit. The attackers first compromised an unnamed third-party partner to view communication logs, which revealed valid credentials and decryption keys. 700Credit failed to validate consumer reference IDs, allowing the attackers to launch a “velocity attack” that scraped data from unrelated accounts.
- Company statement: “We weren’t validating the consumer reference IDs to the original requestor,” said Ken Hill, 700Credit managing director, according to a CBT News interview. “We believe we’ve secured the data.” Hill conducted multiple interviews and public webinars with media outlets and compliance firms in the wake of the data breach.
The National Automobile Dealers Association, or NADA, coordinated with the Federal Trade Commission to allow 700Credit to file a consolidated breach notice on behalf of affected dealers to reduce the regulatory burden.
3. TransUnion
Christopher Dilts/Bloomberg
The credit reporting agency
- Number of individuals affected: 4.5 million
- When the breach happened: July 28
- When TransUnion discovered the breach: July 30
- When the breach was reported: TransUnion publicly disclosed the breach on Aug. 28.
- Root cause: Unauthorized access to a third-party application used for consumer support operations. While TransUnion did not name the vendor, Google Threat Intelligence linked similar social engineering attacks to Salesforce systems, although Salesforce stated its platform was not compromised.
- Threat actor: Google researchers linked the tactics to ShinyHunters, a group known for vishing (voice phishing) campaigns.
- Company statement: The incident involved “limited personal information for a very small percentage of U.S. consumers,” according to a TransUnion spokesperson. The spokesperson added that the company “quickly contained the issue, which did not involve our core credit database or include credit reports.”
4. Marquis Software Solutions
Carter Pape/American Banker
A ransomware attack on Marquis Software Solutions, a vendor providing marketing and compliance services to financial institutions,
- Number of individuals affected: At least 400,000 consumers across more than 70 banks and credit unions
- When the breach happened: Aug. 14
- When Marquis discovered the breach: Aug. 14
- When the breach was reported: Marquis began notifying client financial institutions on Oct. 27.
- Root cause: An unauthorized third party accessed the network through a vulnerability in a SonicWall firewall. Security researchers linked the attack to a specific vulnerability (CVE-2024-40766) in SonicWall VPN devices.
- Threat actor: Cybersecurity researchers observed the Akira ransomware group exploiting the SonicWall vulnerability.
- Company statement: “The investigation revealed that an unauthorized third party accessed Marquis’ network on August 14, 2025, and may have acquired certain files from its systems,” according to a letter from Steve Wernikoff, legal counsel for Marquis.
- Other information: One affected client, Community 1st Credit Union, disclosed in an email to the Iowa attorney general that Marquis made a ransomware extortion payment shortly after Aug. 14.
5. LexisNexis Risk Solutions
The risk management data and software company, which provides anti-money-laundering and other services to financial institutions, experienced a breach stemming from a software development platform.
- Number of individuals affected: 364,333
- When the breach happened: Dec. 25, 2024
- When LexisNexis Risk Solutions discovered the breach: April 1, 2025
- When the breach was reported: LexisNexis notified consumers on May 27.
- Root cause: An unauthorized third party acquired data from a third-party platform used for software development.
- Company statement: “The issue did not affect [the company’s] own networks or systems,” according to a notification letter from LexisNexis Risk Solutions.
6. Connex Credit Union
This Connecticut-based credit union suffered a breach affecting a significant portion of its membership.
- Number of individuals affected: 172,000
- When the breach happened: June 2 to June 3
- When Connex discovered the breach: June 3
- When the breach was reported: Connex notified regulators on Aug. 7.
- Root cause: A breach of an external system Connex has not identified
- Company statement: “We have no reason to believe the incident involved unauthorized access to member accounts or funds,” according to a letter from Aubrey Weaver, partner at Constangy, Brooks, Smith & Prophete, representing Connex.
7. Coinbase
Samyukta Lakshmi/Bloomberg
The cryptocurrency exchange
- Number of individuals affected: 69,461
- When the breach happened: Dec. 26, 2024
- When Coinbase discovered the breach: May 11
- Root cause: Insider wrongdoing. A threat actor bribed individuals performing services for Coinbase at overseas retail support locations to improperly access customer information.
- Threat actor: An unnamed third party who attempted to extort a $20 million payment
- Company statement: “We discovered that a small number of individuals, performing services for Coinbase at our overseas retail support locations, improperly accessed customer information,” a notification letter from Coinbase stated.
- Other information: Instead of paying the ransom, Coinbase established a $20 million reward fund for information leading to the arrest and conviction of the attackers.
