JPMorgan Chase, Citi, and Morgan Stanley are among the major US banks assessing potential customer data exposure following a cyberattack on SitusAMC, a third-party vendor that processes residential mortgage data for hundreds of financial institutions.
The New York-based company discovered the breach on November 12 and confirmed on November 22 that attackers accessed information from its systems, according to a company advisory. SitusAMC said the compromised data includes corporate information such as accounting records and legal agreements, and that “certain data relating to some of our clients’ customers may also have been impacted.”
“The scope, nature and extent of such impact remains under investigation by the Company and its third-party advisors,” the advisory said.
The New York Times reported Saturday that JPMorgan Chase, Citi, and Morgan Stanley were among institutions notified by SitusAMC about potential client data exposure, citing five people briefed on the incident.
When contacted by CSO, JPMorgan declined to comment on the breach. Citi and Morgan Stanley did not immediately respond to requests for comment.
FBI says no operational impact reported
FBI Director Kash Patel told The New York Times that the bureau is working with affected organizations to assess the breach. Kash said that the FBI has not yet found any operational impact on banking services and is continuing to investigate the matter.
SitusAMC, which employs approximately 5,000 people and is owned by several private equity firms, provides loan origination, servicing, and regulatory compliance services to major lenders. The company’s role in mortgage processing involves handling extensive personal information, including Social Security numbers, financial account details, and employment records, as found on loan applications.
The company said that the incident is now contained and services remain fully operational. No encrypting malware was involved, indicating threat actors focused on data exfiltration rather than ransomware deployment, according to the advisory.
The scope of the breach remains under investigation. SitusAMC said it implemented several security measures following the incident, including credential resets, disabling remote access tools, updating firewall rules, and enhancing security settings.
Third-party breaches accelerating
The SitusAMC incident is part of a broader trend of increasing cyberattacks targeting third-party vendors in the financial services sector. Third parties accounted for 30% of data breaches in 2024, a 15% increase from 2023, according to Venminder’s State of Third-Party Risk Management 2025 survey. The survey found 49% of organizations experienced third-party cybersecurity incidents last year.
The financial services sector has seen particularly heavy vendor-related cyberattack activity. FINRA observed a large increase in incidents during the first half of 2024, with threat actors targeting vulnerabilities in system management tools and technology products used by third-party providers. Notable incidents in 2024 included data breaches at Microsoft, Snowflake, and Dropbox that had a widespread impact on financial services firms.
In October, the New York Department of Financial Services issued guidance emphasizing that regulated entities remain fully responsible for cybersecurity when outsourcing to service providers.
The SEC also amended Regulation S-P in 2024 to require firms’ incident response programs to include written policies for overseeing service providers through due diligence and monitoring. The regulation requires firms to establish, maintain, and enforce written policies reasonably designed to require oversight of service providers.
FINRA has also reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. The self-regulatory organization noted that firms have an obligation to establish and maintain a supervisory system for any activities or functions third-party vendors perform.
Investigation continues
The company has established a dedicated email for inquiries and said that it will provide updates to clients as the investigation progresses. The advisory did not specify how many institutions or customers may be affected or give a timeline for completing the forensic investigation.
“We are in direct, regular contact with our clients about this matter,” SitusAMC said in the statement. “We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses.”
No Responses