A cyber intrusion that SitisAMC discovered on November 12 has forced major Wall Street lenders and mortgage originators into a rapid damage assessment, the New York-based real-estate data vendor said. SitusAMC — which serves roughly 1,500 clients — told customers late Saturday that account records and legal agreements for some clients were impacted, and that the incident is contained with services restored. Banks and other customers are still waiting to learn which specific files were removed and which institutions were affected, while the FBI has opened an investigation. Company statements emphasize no encrypting malware was used and core services are operational, but market participants are scrambling to map exposure.
Key takeaways
- SitusAMC, a New York-based real-estate data firm with about 1,500 clients, reported unauthorized access discovered on November 12.
- The firm said account records and legal agreements for some clients were affected; it notified customers in the days after discovery.
- A broad notification batch included major banks such as JPMorgan Chase and Citi, though it remains unclear which clients’ data were actually accessed.
- SitusAMC stated the incident is contained and services are fully operational; it reported no encrypting malware was involved.
- The FBI is investigating; a senior FBI statement said investigators have identified no operational impact to banking services to date.
- Industry experts warn third-party vendor breaches can create systemic exposure because vendors underpin loan pipelines and servicing systems.
Background
SitusAMC provides data, analytics and document services used by lenders, servicers and investors to underwrite and manage real-estate loans and mortgage portfolios. Vendors of this kind sit at the center of many transaction workflows: they store account records, legal agreements and other documents that banks rely on for origination, due diligence and servicing. Because a relatively small set of specialized providers serves many institutions, a single intrusion can force numerous banks to audit the same external supplier simultaneously.
Large banks invest heavily in cybersecurity — often hundreds of millions annually — and maintain dedicated teams to monitor third-party risk. Still, security professionals caution that concentrated dependencies and complex integrations increase the chance that a vendor compromise will propagate. Regulators have in recent years heightened scrutiny of third-party risk management, and firms are required to show controls over their supply chains and critical-service providers.
Main event
SitusAMC detected unauthorized access on November 12 and, according to the firm’s communication to customers, began notifying potentially affected clients within days. The notifications were broad: sources familiar with the matter said the firm sent alerts to a large group of customers that included major banks such as JPMorgan Chase and Citi. At this stage, those banks have declined to comment publicly on whether their records were specifically accessed.
The company issued a statement late Saturday saying the incident is contained, services are fully operational and no encrypting malware was used, language intended to reassure customers that core systems remain available. Despite restored operations, the firm and its clients are conducting forensic reviews to determine precisely what was exfiltrated, how long access persisted and which customer accounts were involved. The ongoing probe aims to map data flows and identify exposed records, a process that often takes weeks.
The FBI has opened an investigation and is coordinating with affected organizations. In a public comment tied to the inquiry, a senior FBI official said investigators have noted no operational impact to banking services so far but are working to identify those responsible. Attribution and the identity of any intruders remain under active review.
Analysis & implications
The immediate implication is operational: banks that rely on SitusAMC for loan documentation and account records must confirm the integrity and availability of the files that underpin underwriting and servicing. If legal agreements or loan files were altered or exfiltrated, affected institutions could face additional legal and remediation costs to validate contracts and reestablish chain-of-custody for critical documents. Even when core systems stay online, the administrative burden of re-checking records can slow loan closings and servicing workflows.
There are reputational and regulatory risks as well. Clients expect vendors to protect sensitive borrower and contractual data; a breach that affects widely used records can trigger demands for disclosure from regulators and counterparties. Financial institutions may need to escalate notifications to boards, regulators and, in some cases, affected borrowers — steps that can lead to fines, remediation obligations and increased compliance scrutiny if controls are judged inadequate.
From a systemic standpoint, the incident underscores vendor concentration risk. When many banks depend on the same supplier for similar datasets, an intrusion becomes a shared problem rather than an isolated incident. That interdependence raises questions about industrywide resilience and whether current third-party oversight frameworks sufficiently reduce single-point vulnerabilities in critical infrastructure supporting mortgage and loan markets.
Comparison & data
| Item | Detail |
|---|---|
| Vendor | SitusAMC (New York-based) |
| Clients | ~1,500 firms |
| Discovery | November 12, 2025 |
| Notified | Customers notified within days; broad batch included JPMorgan & Citi |
| Operational impact | Firm reports services restored; no encrypting malware |
| Investigation | FBI opened active probe |
The table above summarizes the known, verifiable elements released by the firm and reported by news outlets. While some items like the count of clients and discovery date are explicit, other details — notably which client accounts were accessed — remain a current focus of forensic teams. Historical comparisons show that vendor incidents can take weeks to fully inventory, and cross-institution coordination is often required to resolve exposure.
Reactions & quotes
Company and law-enforcement statements have sought to reassure customers about continuity while the forensic work continues. Banks notified in the broad outreach have not confirmed specific exposure publicly, creating a gap between notification and confirmed impact that specialists say is typical early in such probes.
“While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services.”
FBI Director Kash Patel
The FBI director’s remark — issued as part of the active investigative posture — emphasizes that investigators have not observed disruptions to bank operations, even as they continue to pursue attribution and the technical scope of the intrusion. That framing aims to prevent market alarm while acknowledging the investigation is ongoing.
“The breach is a stark reminder that the weakest links may be buried deep within the technology partnerships and vendor dependencies that fuel critical operations.”
Munish Walther-Puri, TPO Group
Cybersecurity experts highlighted above warn that vendor dependencies create hidden systemic risk. Their analysis notes that resilience requires not only vendor-level controls but also stronger cross-sector coordination and contingency planning to limit cascading impacts when a supplier is compromised.
Unconfirmed
- Which specific client accounts or individual borrower records were accessed remains unconfirmed; forensic teams have not publicly released a full inventory.
- The identity and motivation of the intruders have not been publicly attributed; law enforcement continues to investigate.
- Whether any downstream counterparties experienced practical disruption to loan closings or servicing is still being reported and verified by individual institutions.
Bottom line
The SitusAMC intrusion reinforces that even well-resourced financial institutions depend on a network of external vendors whose security shortcomings can create broader exposure. While the firm reports containment and no encrypting malware, the primary unresolved questions — which clients’ records were taken and who is responsible — will govern the next phase of legal, regulatory and remediation actions.
Markets and customers should watch three developments closely: the forensic inventory of exfiltrated data; any bank disclosures confirming direct impact; and findings from the FBI’s investigation that could clarify attribution and motive. In the near term, affected lenders will need to validate document integrity, communicate with counterparties and prepare for potential regulatory follow-up.