SitusAMC breach puts JPMorgan, Citi, and Morgan Stanley customer data at risk

Company says no encrypting malware was found on its systems

Financial service provider SitusAMC has confirmed a recent data breach, prompting major US banks to assess potential exposure. The breach is another illustration of the importance of third-party due diligence.

Several of the largest US banks are scrambling to determine how much client information may have been compromised after hackers infiltrated a New York-based financial technology firm earlier this month, potentially exposing sensitive data across the financial sector.

SitusAMC, a major back-end service provider for more than 1,500 commercial and residential real-estate financiers, confirmed over the weekend that it discovered a data breach on 12th November.

The company, which processes billions of loan-related documents each year and generates roughly $1 billion in annual revenue, serves major banking clients including JPMorgan Chase, Citigroup, Morgan Stanley, as well as pension funds and state governments.

In a public statement, SitusAMC acknowledged that the attackers stole corporate data tied to its banking customers’ relationships with the firm, along with “accounting records and legal agreements.”

While the company did not disclose which institutions were directly affected, CNN and Bloomberg, citing sources familiar with the incident, reported that breach notifications were sent to JPMorgan Chase, Citi, and Morgan Stanley.

Not a ransomware attack

SitusAMC says no encrypting malware was found on its systems, an indication that the hackers were focused on quietly stealing data rather than locking or destroying it.

The company said the incident is “now contained,” its systems are fully operational, and that the “scope and nature of the cyberattack remains under investigation.”

“Upon learning of the incident, we took prompt steps to investigate the nature and scope of the incident with the assistance of leading, third-party experts,” the company said. “We also notified and began cooperating with law enforcement.”

As part of its response, SitusAMC has implemented several additional security measures, including credential resets, disabling remote access tools, updating firewall rules, and strengthening certain security settings.

It remains unclear how much data was taken, or how many US banking customers may be affected.

Because firms like SitusAMC operate deep in the financial regulatory and compliance infrastructure, they routinely handle highly sensitive, non-public information on behalf of lenders, investors, and mortgage servicers.

Michael Franco, CEO of SitusAMC, told The New York Times that the company remains “focused on analyzing any potentially affected data,” and confirmed that law enforcement has been notified.

A spokesperson for the FBI said the bureau is aware of the breach and is already working with affected organisations.

“While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services,” FBI director Kash Patel said.

Although large banks invest hundreds of millions of dollars each year in cybersecurity and are regarded as some of the most well-defended institutions in the private sector, experts warn that the interconnected nature of modern finance creates hidden vulnerabilities.

Even a single breach at a lesser-known technology provider can create cascading risks across multiple institutions.

“The SitusAMC breach is a stark reminder that the weakest links may be buried deep within the technology partnerships and vendor dependencies that fuel critical operations,” said Munish Walther-Puri, head of critical digital infrastructure at cybersecurity firm TPO Group.

“When one trusted vendor falters, the ripple can expose the intricate web of unseen risk that binds the sector together; resilience is not just a policy, but a collective responsibility,” Walther-Puri said.