Big U.S. banks and mortgage lenders are scrambling to identify whether their customers’ sensitive information — including customer and transaction data — was pilfered after hackers broke into New York-based SitusAMC, a leading financial technology provider to the country’s biggest commercial and residential lenders.
SitusAMC said it detected a hack and that intruders made off with corporate data connected to its banking clients, such as accounting records and legal agreements. The company characterized the event as a data theft, rather than a destructive ransomware attack, and said its systems are already back online while it investigates the matter.
Large institutions, notified by the vendor, include JPMorgan Chase, Citigroup and Morgan Stanley, according to multiple outlets, people who were briefed on the matter said. It is unclear at this time how much data and how many consumers are affected.
Why a Fintech Vendor Breach Hurts So Much
Companies such as SitusAMC sit in the plumbing of U.S. finance, processing onboarding, servicing, and fulfillment tasks that produce rivers of sensitive records.
The company says it handles billions of loan-related documents annually, including mortgage files, servicing data, and complex commercial real estate agreements.
That concentration leads to outsized “blast radius” risk. The Gramm-Leach-Bliley Act requires that nonpublic personal information — names, Social Security numbers, bank account numbers, terms of loans — be protected from disclosure even when it is held by service providers. Just one compromise in the pipeline can hit dozens of institutions at once.
This very outcome has been the concern of financial regulators. The FFIEC mandates robust third-party risk management, and New York’s cybersecurity regulation also demands timely reporting of material vendor incidents. In practice, they now operate key fintechs as an extension of their own networks.
What Banks Are Doing Now to Respond to the Breach
Given the assault is billed as pure exfiltration, banking institutions are prioritizing exposure scoping over restoring availability. Teams are extracting detailed data maps of what each business line shared with the vendor, and when, and cross-referencing those against access logs and data-transfer telemetry.
You will need to perform a quick credential reset, token revocation, and key rotation for all integrations that touch the particular provider. Many are combing through their security information and event management systems for signs linked to the vendor environment, and bolstering fraud analytics to detect any downstream abuse of stolen files.
Publicly traded lenders also mull disclosure requirements. An event of material significance may require a filing on a Form 8-K within only a few business days under the SEC’s cybersecurity requirements. As well, even if the breach happened at a vendor, especially one to which an institution outsources data security controls, it’s questionable whether that even matters: Is there material impact to a bank customer or its operations or financials?
Early Indications Suggest Data-Theft Tactics
SitusAMC said the company did not see any encrypting malware, indicating that the intruders intended to quietly copy high-value records. That reflects a larger move toward “double-extortion without encryption,” by which ransomware gangs steal data and pressure victims with leaks rather than shutdowns.
Financial services has been a major focus of these campaigns. IBM’s Cost of a Data Breach report over the years has consistently ranked the industry at or near the top in terms of average breach cost due to long investigation and notification timeframes when third parties are involved. And industry sharing group FS-ISAC has also warned of the ongoing supply chain exposure in loan origination and servicing solutions.
Recent history underscores the stakes. The MOVEit mass-exfiltration campaigns echoed across mortgage and retirement sites, and a top mortgage servicer revealed there had been data stolen — “millions” of them, at least. In both cases, vendor relationships were force multipliers.
What Data May Be in Peril From the Vendor Breach
Depending on the information the company shared — corporate records related to banking relationships, accounting data, and legal agreements — the exposed data is likely to have consisted of term sheets, wire instructions, servicing schedules, escrow balances, covenant documentation, as well as identifiable details about counterparties.
The riskiest consumer data would be the kind of identity and payment information found in loan files or servicing records, if any such data was included in the compromised data sets, he said. On the flip side, interest in keeping deals confidential, protecting counterparty information, and maintaining document fidelity are top priorities for institutions.
Regulators and Law Enforcement Move In Now
The company has said the FBI is investigating. Banks usually also report to their primary prudential regulators — the OCC, the Federal Reserve, the FDIC, and state banking departments — as they evaluate whether customers have hit notice thresholds under both state breach laws and GLBA.
If stolen data pops up on leak sites, the calculus does change fast. Organizations also pre-position these alerts and credit monitoring offers so their outreach can be expedited if there is credible evidence of potential exposure.
The Wider Financial Supply Chain Lesson for Banks
The episode serves as a reminder that while banks’ own perimeters may be reinforced, there is a steady stream of critical data moving across vendors’ platforms. It’s now a given that continuous control monitoring, immutable logs of data transfers, and tighter data minimization with service providers are non-negotiable.
In the short term, the task is simple: map what streamed to that fintech, validate what exactly exited, and get customers and counterparties ready for slow-walking, transparent communication. The longer-term work — such as reducing data footprints and testing vendor controls with the same rigor as those of internal ones — will dictate how often this headline plays out.
