Blaze Credit Union’s marketing and communications vendor–Georgia-based Marquis Software Solutions–said last month it experienced a data security incident in which an unauthorized third-party vendor potentially viewed or copied certain files on the Marquis network that contained Blaze’s 253,000 members’ personal information, including their Social Security numbers.

Blaze Credit Union, based in Falcon Heights, told TCB it shares its member names, dates of birth, and Social Security numbers–in some cases–with Marquis, who  manages Blaze’s email communications to its members.

Casey Carlson, SVP/chief marketing officer of Blaze says the company has no evidence of attempted misuse of members’ personal information because of the incident, and that the data breach was limited to Marquis’ data systems.

According to the 1999 Gramm-Leach-Bliley Act, banks and credit unions are legally permitted to share social security numbers when necessary with third-party vendors. Financial institutions must provide its members with clear notices about data collection, allowing them to opt-out of certain sharing with non-affiliated third parties.

Transmitting SSNs and other personal information is a “standard industry practice,” the credit union says. Misuse of SSNs is believed to make identity theft easier.

Other Credit Unions’ Relationship with Communications Vendors

The credit union industry has historically consisted of small institutions that offered limited services. The industry has been consolidating in Minnesota (Blaze is the result of the 2024 merger of Hi-Way and Spire credit unions), in part, to offer a wider array of financial services along the lines of banks.  Still, many credit unions still rely on third parties for key functions.

TCB reached out to multiple credit unions and banks in the state to see if they employ the same practices and received the following responses:

• Affinity Plus Credit Union says it does not outsource its marketing. However, it works with specialized third‑party vendors for “specific tools or services.” Affinity did not respond to our questions about what those services are exactly. “We share only the minimum information required for that service,” the company adds. “Additionally, all partners undergo rigorous vetting and regular reviews to confirm they meet industry-standard data security requirements.”

• Wings Credit Union, the largest credit union in Minnesota, tells TCB that the company works with select third‑party vendors for limited marketing functions. Wings’ director of media and public relations, Vanessa Zinc, adds Wings does not work with Marquis for marketing purposes.

“[Our members’] social security numbers are not used or disclosed for marketing purposes,” Zinc adds. “Any information shared aligns with the reasons outlined in our publicly available privacy notices.”

• Bridgewater Bank’s Emily Karpenske says the bank’s marketing and client communications are executed in-house. They add Bridgewater does not use a third-party platform to outsource any marketing functions.

Since learning of the cyberattack, Blaze said it discontinued sending member data to Marquis. In a statement it said it is “actively evaluating alternative options to Marquis Business Solutions in light of this incident.”

“While this incident did not involve the credit union’s computer systems, we take seriously the security of our members’ information, and we are evaluating Marquis’ response to this incident and our going forward relationship with it,” Carlson says.

Blaze says Marquis assured it via audits that members’ data was protected. But then, “Marquis failed to uphold those assurances.” The credit union adds it’s actively pursuing legal options to hold Marquis “accountable.”