On Nov. 12, 2025 a cyberattack struck SitusAMC, a third‑party vendor used by hundreds of lenders, potentially exposing mortgage application records and other sensitive client information. Over the next ten days the company told customers it was investigating what specific files were taken; by Nov. 22 several major banks had been notified that their clients’ data might be included. SitusAMC said investigators and law enforcement were involved, and the Federal Bureau of Investigation said it was working with affected organizations while reporting no disruption to core banking operations. The incident has alarmed industry officials because vendors like SitusAMC centralize broad, nonpublic data — from Social Security numbers on loan forms to internal risk details about lender portfolios.
Key takeaways
- SitusAMC reported a cyber intrusion on Nov. 12, 2025 and spent nearly two weeks assessing what information was accessed.
- Hundreds of banks and lenders use SitusAMC for mortgage origination and compliance; the firm employs about 5,000 people.
- JPMorgan Chase, Citi and Morgan Stanley were among the banks notified that client data may have been taken, according to officials briefed on the matter.
- Data sets at risk include mortgage application material — including Social Security numbers — and records tied to residential loan portfolios.
- SitusAMC confirmed it notified law enforcement; the FBI said it has found no operational impact to banking services.
- Industry advisers warn the breach could expose both consumer information and sensitive nonpublic details about lenders’ real estate holdings.
- The episode highlights systemic risk from highly centralized service providers that handle regulated compliance and loan documentation.
Background
Third‑party vendors are deeply embedded in modern banking operations, performing essential but often unseen tasks such as document management, compliance checks and loan servicing. Firms like SitusAMC provide software and back‑office support that touches loan applications, underwriting files and regulatory paperwork for both residential and commercial real estate lenders. Because these vendors aggregate data across many customers, a single successful intrusion can affect multiple institutions and millions of records.
SitusAMC, headquartered in New York and owned by private equity investors, has contracts with many of the nation’s largest banks and mortgage lenders. The company’s services are often described as necessary “plumbing” for real‑estate finance: they are not consumer‑facing products but they store the raw documents and identifiers that underpin lending decisions. Previous industry breaches have shown that attackers prize such troves of personal and institutional data — especially Social Security numbers and loan‑level details that can be used for fraud or market intelligence.
Main event
SitusAMC publicly acknowledged on Nov. 22 that it had been the subject of a cyberattack that began on Nov. 12. The company said it has been working to identify what specific data were removed and has been sending near‑daily updates to customers while coordinating with law enforcement. Company CEO Michael Franco confirmed notifications to banks and stated the firm’s ongoing review of potentially affected records.
Multiple large banks received alerts from SitusAMC that their client data might have been accessed; sources briefed on the incident named JPMorgan Chase, Citi and Morgan Stanley among the parties notified. Representatives for those banks declined to comment on exposure details; a spokesperson for JPMorgan Chase said the bank itself was not directly breached. Industry officials said banks were assessing whether customer‑level remediation — such as credit monitoring or direct notifications — would be required.
The FBI, led by Director Kash Patel, issued a statement saying agents were working closely with affected organizations and partners to determine the impact, while noting no operational disruption to banking services. Cybersecurity teams from affected banks and from SitusAMC have been engaged in forensic work to trace the attackers’ access paths, identify stolen datasets and contain any continuing risks.
Analysis & implications
The breach illustrates a recurring vulnerability: critical customer and portfolio data are concentrated at vendors that many lenders rely on but do not control directly. That concentration creates a multiplier effect — a single compromise can produce far more exposure than an incident limited to one bank’s own systems. For consumer protection, the most immediate danger is identity theft and fraud if Social Security numbers and loan documentation are leaked.
Beyond individual fraud, the breach could reveal nonpublic bank information about loan concentrations, risk profiles or valuation assumptions embedded in mortgage files. Regulators and risk managers worry that sophisticated actors could use that intelligence to game markets or target institutions strategically. Lawyers and compliance specialists note that vendor contracts, data access controls and regulatory reporting obligations will all be scrutinized in the incident’s aftermath.
From an operational standpoint, the fact that the FBI reported no operational banking disruptions is important but not dispositive. Even when core payment and deposit systems remain intact, reputational harm, customer remediation costs and regulatory investigations can be protracted and expensive. For private equity owners of vendors, the incident also raises questions about governance, cybersecurity investment and the incentives that determine how vendor security is audited.
Comparison & data
| Incident | Date | Scope / notable exposed data | Entity size |
|---|---|---|---|
| SitusAMC breach | Nov. 12, 2025 | Mortgage application records, Social Security numbers; hundreds of lender clients | ~5,000 employees |
| Equifax breach | 2017 | Personal data of about 147 million U.S. consumers, including Social Security numbers | Large national credit bureau |
The table above highlights how vendor consolidations raise exposure: the 2017 Equifax breach remains a reference point for the scale and sensitivity of consumer data compromises. While the exact number of customer records potentially taken from SitusAMC has not been confirmed, the company’s broad client list and the presence of loan identifiers and Social Security numbers put the event squarely in the category of high‑impact vendor incidents.
Reactions & quotes
Company and government statements framed the response as active investigation and coordination. SitusAMC’s chief executive emphasized cooperation with authorities while the firm assesses affected data.
“We remain focused on analyzing any potentially affected data.”
Michael Franco, CEO of SitusAMC (company statement)
The FBI underlined the investigative posture and attempted to reassure markets that core bank operations were unaffected.
“While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services.”
Kash Patel, Director, Federal Bureau of Investigation (official statement)
Industry advisers and compliance lawyers stressed that the event should prompt lenders to review vendor risk management and data segregation practices, noting the potential for long tail costs and regulatory scrutiny.
Unconfirmed
- Precise quantity of individual consumer records removed has not been disclosed publicly and remains unconfirmed.
- The identity or motivation of the attackers has not been publicly attributed by SitusAMC or law enforcement.
- Whether all notified banks have customers whose records were actually exfiltrated has not been verified.
Bottom line
The Nov. 12 incident at SitusAMC underscores a persistent systemic risk in the financial ecosystem: critical customer and portfolio data are often concentrated at specialist vendors whose compromise can ripple across many institutions. Immediate priorities for banks include forensic analysis, customer notification where required, regulatory reporting and tightening vendor controls to reduce future exposure.
Longer term, regulators and market participants may demand stricter standards for data segmentation, incident reporting timelines and third‑party audits. For consumers, the most tangible near‑term impact will be potential identity protection needs; for banks and investors, costs and oversight burdens are likely to follow.
Sources
- The New York Times (news reporting)
- SitusAMC (company website / official statements)
- Federal Bureau of Investigation (official agency statement)