The massive credit union is notifying individuals about an August cyberattack.
In late 2025, Blaze Credit Union, a Minnesota-based bank, reported a data breach estimated to impact approximately 235,000 individuals. The breach is connected to Marquis Software Solutions, a marketing and compliance software company that provides services to many financial organizations, including Blaze.
In Blaze’s notice, posted on their website, the credit union stated they had been notified in late 2025 of a data security incident. Blaze also noted that they had coordinated with Marquis, who would ultimately be providing victims with notice about the incident.
While Blaze did not say what day had been specifically involved, they noted that personal information, including Social Security numbers, were impacted.
Twin Cities Business analyzed the incident at Blaze, noting that it’s common for credit unions, which are usually smaller institutions that offer a variety of financial services, to use third parties for certain functions. Nevertheless, Twin Cities Business contacted multiple other credit unions in Minnesota and learned that many do not outsource data for marketing functions, which is believed to be the primary reason for Marquis and Blaze’s business relationship.
According to Blaze, as part of their business agreement, Marquis assured the credit union that members’ data would be protected. Now, the credit union has stated they play to pursue legal options to hold Marquis “accountable” for the breach.
The incident at Blaze is a reminder that organizations are only as secure as their business partners. While financial institutions are not required to be HIPAA compliant, and thus do not need to sign Business Associate Agreements, it’s still imperative that these organizations carefully audit their partners’ data security measures.
Like healthcare organizations, businesses in the financial sector are frequently targeted by cybercriminals who hope to sell data on the dark web or use personal information, like Social Security numbers, to commit fraud or identity theft. According to one Paubox report, in healthcare, nearly 16% of all email-related breaches are connected to business associates. Business associates also frequently work with many different companies, so when they are breached, it can quickly have a ripple effect across multiple different companies.
Generally, organizations have to decide together who will send out breach notifications. In this instance, Marquis ultimately agreed to send out the notices.
Organizations should carefully monitor what data they send to third parties and how it is being used, limiting data sent only to what is necessary for the third-party to complete their role. Organizations should also frequently audit their vendors to ensure they are meeting the organization’s data security standards.