Several large U.S. banks are assessing potential customer data exposure after third-party mortgage services provider SitusAMC detected a cyber intrusion it first discovered on Nov. 12 and confirmed on Nov. 22, according to a company advisory.
The advisory said attackers accessed information from the company’s systems and that compromised data includes corporate records such as accounting files and legal agreements, and that certain data relating to some clients’ customers may also have been impacted. The company said the scope and extent of the impact remain under investigation.
The New York Times reported that JPMorgan Chase, Citi and Morgan Stanley were among the institutions notified about potential client data exposure; JPMorgan declined to comment when contacted by CSO, and Citi and Morgan Stanley did not immediately respond to requests for comment. The FBI said it is working with affected organizations and has not yet found any operational impact on banking services, FBI Director Kash Patel told The New York Times.
SitusAMC, which employs about 5,000 people and is owned by several private equity firms, provides loan origination, servicing and regulatory compliance services to major lenders and handles extensive personal information from mortgage applications, including Social Security numbers, financial account details and employment records.
The company said the incident is contained, services remain operational and no encrypting malware was involved, indicating the threat actors focused on data exfiltration rather than deploying ransomware. SitusAMC said it implemented security measures including credential resets, disabling remote access tools, updating firewall rules and enhancing security settings.
The breach follows a wider trend of attacks on third-party vendors in financial services. A Venminder survey found third parties accounted for 30% of data breaches in 2024, up 15% from 2023, and FINRA has observed a large increase in vendor-related incidents in 2024, with threat actors targeting system management tools and products used by providers.
Regulators have emphasized that firms remain responsible for cybersecurity when outsourcing. The New York Department of Financial Services issued guidance in October, the SEC amended Regulation S-P in 2024 to require written policies for oversight of service providers, and FINRA has reminded member firms of supervisory obligations related to outsourcing.
The company has set up a dedicated contact for inquiries and said it will provide updates to clients as the investigation progresses, but it did not specify how many institutions or customers may be affected or give a timeline for completing the forensic investigation.