NEW YORK—A cyberattack on SitusAMC, a major mortgage-services vendor used across the U.S. financial sector, is prompting renewed warnings about supply-chain vulnerabilities—an issue former NCUA Chairman Todd Harper repeatedly flagged as a threat even to highly defended industries such as credit unions.
SitusAMC disclosed that attackers breached its systems on Nov. 12, stealing corporate records and legal agreements along with data tied to some client customers, according to CSO Online. The New York-based firm, which processes residential mortgage information for more than 1,500 financial institutions, confirmed the intrusion on Nov. 22 and said the full scope of exposed consumer data remains under investigation.
The New York Times, cited by CSO Online, reported that JPMorgan Chase, Citi, and Morgan Stanley were among institutions notified of potential exposure. SitusAMC declined to answer questions about how many clients were affected, and the banks either declined to comment or did not respond.
The incident underscores the risks that arise when attackers target third-party vendors embedded deep in financial-services operations. As Cybersecurity Dive noted, the financial sector is widely regarded as the best-defended industry in the U.S., yet it remains vulnerable when upstream suppliers lack equivalent controls—an imbalance that can create cascading points of compromise.
Federal investigators are now involved. FBI Director Kash Patel told both the Times and Cybersecurity Dive that the bureau is working with affected organizations but has not identified any operational disruptions to banking services.
SitusAMC, which handles highly sensitive mortgage-application data—including Social Security numbers, employment records, and financial-account details—said the breach did not involve ransomware. Instead, attackers appear focused on data theft. The company said the intrusion has been contained and operations remain fully functional.
Both Cybersecurity Dive and CSO Online reported that the source of the attack and the number of affected institutions have not yet been determined.