Saturday, real estate lender tech provider SitusAMC confirmed a November 12 cyberattack impacting the sensitive personal information on the clients of hundreds of some of the nation’s biggest banks, including JPMorgan Chase.
The data exposed was related to residential mortgages, the company said. JPMorgan Chase, Citi, and Morgan Stanley are among those that have been notified that their client data may have been taken.
“The incident is now contained and our services are fully operational. No encrypting malware was involved,” the statement reads.
“We remain focused on analyzing any potentially affected data,” SitusAMC’s chief executive, Michael Franco said.
SitusAMC manages extensive sensitive data collected through mortgage applications, including Social Security numbers. The fintech also provides regulatory compliance services to ensure lenders’ loans meet state and federal requirements. As a result, a breach could expose highly confidential information about lenders and their real estate portfolios.
“We remain committed to identifying those responsible and safeguarding the security of our critical infrastructure,” FBI Director Kash Patel said in a statement.
Michael Bell, Founder & CEO, Suzu Labs had this to say:
“SitusAMC proves that Wall Street’s hundreds of millions spent on bank cybersecurity is irrelevant when a third-party vendor holding SSNs, mortgage applications, and regulatory compliance data gets compromised.
“The attackers bypassed JPMorgan, Citi, and Morgan Stanley’s defenses entirely by hitting the shared services provider with access to all their customer data.
“Pentesting offers a lens inside these third-party environments and the lack of controls protecting customer data is shocking. Organizations need to start auditing vendor security postures with the same rigor they apply to their own perimeters.”
Damon Small, Board of Directors, Xcape, Inc. follows with this:
“The recent cyberattack on SitusAMC underscores the significant and widespread third-party risk that major US financial institutions like JPMorgan Chase, Citi, and Morgan Stanley are currently exposed to.
“Despite claims of containment, the breach resulted in the confirmed exfiltration of highly sensitive residential mortgage data, including Social Security numbers and private real estate holdings, all valuable targets for identity theft.
“This incident confirms that the security of financial service providers is only as strong as the weakest link within their specialized fintech supply chain. Under regulations like GLBA, banks are ultimately accountable for protecting client data across their entire vendor network, necessitating the immediate implementation of Zero Trust principles for all third-party access.
“Banks should treat this breach as if client data has been exposed by immediately activating dark-web monitoring, placing fraud alerts, and closely monitoring for unauthorized changes of address and wire instructions within their mortgage and servicing systems.
“Lenders also need to immediately rotate tokens and credentials for SitusAMC integrations, implement stricter least-privilege access controls, and enforce breach-notification service-level agreements and data minimization practices through contractual obligations.
“Regulators will be expecting concrete evidence of third-party risk management, including vendor audits, immutable backups, and well-tested incident response playbooks that cover the entire lifecycle of loan origination, servicing, and secondary market data flows.
“Wall Street learned the hard lesson again: In the modern financial supply chain, the security of a bank’s information assets is only as effective as the least-protected mortgage application.”
This latest supply chain attack is going to be bad given the type of data that is now out there. I feel sorry for anyone who is potentially affected as this will not end well for them at all.
Like this:
Like Loading...
Related
This entry was posted on November 24, 2025 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
US big banks hit by real estate fin-tech breach
Saturday, real estate lender tech provider SitusAMC confirmed a November 12 cyberattack impacting the sensitive personal information on the clients of hundreds of some of the nation’s biggest banks, including JPMorgan Chase.
The data exposed was related to residential mortgages, the company said. JPMorgan Chase, Citi, and Morgan Stanley are among those that have been notified that their client data may have been taken.
“The incident is now contained and our services are fully operational. No encrypting malware was involved,” the statement reads.
“We remain focused on analyzing any potentially affected data,” SitusAMC’s chief executive, Michael Franco said.
SitusAMC manages extensive sensitive data collected through mortgage applications, including Social Security numbers. The fintech also provides regulatory compliance services to ensure lenders’ loans meet state and federal requirements. As a result, a breach could expose highly confidential information about lenders and their real estate portfolios.
“We remain committed to identifying those responsible and safeguarding the security of our critical infrastructure,” FBI Director Kash Patel said in a statement.
Michael Bell, Founder & CEO, Suzu Labs had this to say:
“SitusAMC proves that Wall Street’s hundreds of millions spent on bank cybersecurity is irrelevant when a third-party vendor holding SSNs, mortgage applications, and regulatory compliance data gets compromised.
“The attackers bypassed JPMorgan, Citi, and Morgan Stanley’s defenses entirely by hitting the shared services provider with access to all their customer data.
“Pentesting offers a lens inside these third-party environments and the lack of controls protecting customer data is shocking. Organizations need to start auditing vendor security postures with the same rigor they apply to their own perimeters.”
Damon Small, Board of Directors, Xcape, Inc. follows with this:
“The recent cyberattack on SitusAMC underscores the significant and widespread third-party risk that major US financial institutions like JPMorgan Chase, Citi, and Morgan Stanley are currently exposed to.
“Despite claims of containment, the breach resulted in the confirmed exfiltration of highly sensitive residential mortgage data, including Social Security numbers and private real estate holdings, all valuable targets for identity theft.
“This incident confirms that the security of financial service providers is only as strong as the weakest link within their specialized fintech supply chain. Under regulations like GLBA, banks are ultimately accountable for protecting client data across their entire vendor network, necessitating the immediate implementation of Zero Trust principles for all third-party access.
“Banks should treat this breach as if client data has been exposed by immediately activating dark-web monitoring, placing fraud alerts, and closely monitoring for unauthorized changes of address and wire instructions within their mortgage and servicing systems.
“Lenders also need to immediately rotate tokens and credentials for SitusAMC integrations, implement stricter least-privilege access controls, and enforce breach-notification service-level agreements and data minimization practices through contractual obligations.
“Regulators will be expecting concrete evidence of third-party risk management, including vendor audits, immutable backups, and well-tested incident response playbooks that cover the entire lifecycle of loan origination, servicing, and secondary market data flows.
“Wall Street learned the hard lesson again: In the modern financial supply chain, the security of a bank’s information assets is only as effective as the least-protected mortgage application.”
This latest supply chain attack is going to be bad given the type of data that is now out there. I feel sorry for anyone who is potentially affected as this will not end well for them at all.
Share this:
Like this:
Related
This entry was posted on November 24, 2025 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.