A cyberattack on third-party vendor SitusAMC has affected sensitive mortgage data linked to several financial institutions, including JPMorgan, Citi, and Morgan Stanley.
The FBI took charge of the investigation following the data breach, which compromised records, including Social Security Numbers. The cyberattack also raised concerns over the financial system’s vulnerability to third-party risks.
Wall Street on alert
The cyberattack took place on 12 November 2025 and compromised mortgage data from JPMorgan, Citi, and Morgan Stanley. Effective action was taken by both banks and regulators after the breach, with them immediately starting to assess the extent of the exposure.
Confirmed by SitusAMC, the third-party vendor said that it has spent approximately two weeks defining exactly what data the hackers had access to. Supporting banks and lenders across the US with functions such as mortgage origination, servicing, and payment processing, SitusAMC holds a substantial position in the industry. This role that it plays could actually result in a potential domino effect that could be more extensive.
Furthermore, as detailed by the New York Times, even if the corporate world is familiar with cyberattacks, this breach led to increased concern on Wall Street. This is caused by SitusAMC storing extensive personal data from loan applications. Following the breach, the vendor has been offering banks near-daily updates as it focuses on determining the full scope of the data compromised.
JPMorgan Chase, Citigroup, and Morgan Stanley are among the financial institutions that have been alerted by SitusAMC that their clients’ data may have been part of the breach, according to IBT. After discovering the cyberattack, SitusAMC started working with third-party forensic specialists and federal authorities, as detailed by the same sources. Additionally, law enforcement was notified about the breach.
The FBI taking charge
Currently, the FBI is leading the probe, with officials from the bureau stating that they are working on determining how the hackers gained access and what information may have been affected. Kash Patel, the FBI Director, said in a statement for the New York Times that, while the bureau is collaborating with affected organisations and its partners to understand the extent of the potential impact, it has identified no operational impact to banking services.
