SitusAMC Hack Impacting Major U.S. Banks

Overview

On 12 November 2025, U.S. real-estate-loan-servicing vendor SitusAMC disclosed a cyberattack that may have exposed sensitive corporate and customer-data belonging to several major U.S. banks. The incident has prompted banks such as JPMorgan Chase, Citigroup and Morgan Stanley to assess their exposure and the downstream implications of a vendor breach. According to the company, its services remain operational and no encryption-ransomware was used in the intrusion.

How the Incident Unfolded

According to reports, the attack was discovered by SitusAMC on 12 November. The company issued a statement indicating that certain information from its systems was compromised and that “data relating to some of our clients’ customers may also have been impacted.” The attacker reportedly accessed corporate accounting documents, legal contracts and other business records tied to client engagements. The vendor did **not** publicly name the affected banks, but media sources cite those three leading banks as probable clients impacted.

Importantly, SitusAMC clarified that the breach did not involve the deployment of file-encrypting malware (i.e., no ransomware event). The company further stated that their key systems have been restored, services are fully operational and the incident has been contained. Moreover, the Federal Bureau of Investigation (FBI) has been notified and is working with the vendor and impacted organisations to determine scope of the compromise.

Impact and Exposure

While no bank has confirmed service disruption or direct compromise of their internal systems, the situation raises three major exposure concerns:

• Data confidentiality risk: Because SitusAMC handles loan-origination and servicing data for real-estate lenders and banks, the breached records may include personally identifiable information (PII) such as Social Security numbers, mortgage-application data, property records, and corporate customer contracts. Media coverage notes the potential exposure of residential-loan-mortgage data.

• Third-party vendor chain risk: The incident is a stark reminder of the attack surface introduced when banks outsource key functions or rely on specialised vendors. A breach at one vendor can ripple across multiple major institutions.

• Reputational and regulatory exposure: If customer or consumer-data was accessed, banks and the vendor may face regulatory scrutiny under U.S. state-data-breach laws, GDPR-type cross-border rules (if applicable) and the European Union’s DORA framework (if European clients). The reputational hit could also be material, particularly given the sensitivity of financial-institution-customer data.

At this stage, no operational disruption to banking services has been reported; the FBI stated that “we have identified no operational impact to banking services.”

Response and Investigation

SitusAMC has taken immediate mitigation steps: notifying law-enforcement and regulators, engaging forensic cybersecurity specialists, analysing the compromised systems and data, and communicating with clients. The vendor emphasized its systems are back online and that the breach vector did not include encryption malware.

Banks leveraging the vendor’s platform are undertaking internal investigations: verifying whether any client or consumer records held by the vendor were affected, confirming whether any data made its way into threat-actor hands, and reviewing their contractual, insurance and regulatory exposure. The involvement of the FBI and potential participation by federal regulators (e.g., Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation) is expected as the matter develops.

Wider Industry Implications

This breach highlights the systemic risk posed by critical-vendor dependencies in the banking ecosystem. The fallout from a non-bank entity cascading into multiple financial institutions underscores the need for rigorous third-party risk management — including vendor cyber-hygiene assessments, contractual expectations, resilience-testing, and incident-response coordination.

Additionally, the event may trigger regulators to issue increased scrutiny of vendor-intrusion disclosure timelines, audit requirements and breach-impact reporting within banking and mortgage-servicing contexts. The breach also may accelerate banks’ migration to in-house or fully monitored vendor ecosystems where oversight is stronger.

Guidance for Security Teams

Security practitioners in banking and vendor firms should consider the following actions:

• Review vendor inventories: Identify vendors that hold, process or transmit sensitive customer data and assign criticality tiers accordingly.
• Perform due-diligence audits: Ensure vendors maintain up-to-date cybersecurity controls, incident-response plans and third-party risk assessments.
• Include robust contractual clauses: Require notifications of breaches, indemnities, audit rights and minimum security standards in vendor contracts.
• Implement data-access minimisation: Limit vendors’ access to only the data and systems strictly required to perform their service.
• Plan incident-response coordination: Establish joint vendor-bank playbooks, communication channels and data-exposure review mechanisms ahead of breaches.
• Monitor for anomalous activity: Use threat-intelligence feeds, data-loss detection tools and anomaly-monitoring on vendor-network traffic and data exports.

In vendor-ecosystems especially within financial services, proactive oversight and verification of vendor resilience is critical to reducing downstream risk.

Indicators of Compromise

• Vendor: SitusAMC – breach date 12 November 2025.
• Affected scope: corporate accounting documents, legal contracts, client-customer records (via vendor).
• No publicly released domain, IP addresses or malware hashes at this time.