• Major US banks assess exposure after data breach at key vendor
• Attackers stole corporate data and financial records without using ransomware
• SitusAMC serves more than 1,500 financial institutions, amplifying systemic impact
• FBI working with affected organizations to determine extent of exposure
• Experts warn that hidden vendor dependencies create cascading cyber risks
• Incident highlights need for continuous validation of third-party security controls
A newly disclosed data breach at financial services provider SitusAMC has triggered urgent assessments across several major US banks as they race to understand whether sensitive client information was compromised.
The incident has reignited concerns about the fragility of third-party cybersecurity in a financial ecosystem that relies heavily on external technology providers.
SitusAMC, a New York-based firm that supports more than 1,500 commercial and residential real-estate financiers, confirmed that it discovered the breach on 12 November.
The company processes billions of loan documents annually and counts JPMorgan Chase, Citigroup and Morgan Stanley among its key clients. Pension funds and state governments also rely on its services.
In a public statement, the firm acknowledged that attackers stole internal corporate data linked to its banking client relationships, including accounting records and legal agreements.
Although the company has not named specific institutions, multiple media outlets reported that JPMorgan, Citi and Morgan Stanley received notifications regarding potential exposure.
The attack was notable for what it did not include. SitusAMC reported no sign of ransomware or data-locking malware on its systems, suggesting the intruders were focused solely on data theft rather than operational disruption.
The company said the incident has been contained, systems remain fully operational and an investigation is underway with the assistance of external cybersecurity experts.
“Upon learning of the incident, we took prompt steps to investigate the nature and scope of the incident with the assistance of leading, third-party experts,” the company said. “We also notified and began cooperating with law enforcement.”
As part of its containment measures, SitusAMC reset credentials, disabled certain remote-access tools, tightened firewall rules and strengthened specific security configurations.
However, the company has not yet confirmed how much data was stolen or how many banking clients may ultimately be affected.
Because firms like SitusAMC sit deep within the financial sector’s operational backbone, they routinely handle highly sensitive and non-public information on behalf of lenders, investors and servicers. That role elevates the systemic importance of their cybersecurity posture.
SitusAMC’s chief executive told The New York Times the company is focused on analyzing which data may have been impacted and confirmed that law enforcement has been notified.
A spokesperson for the FBI said the bureau is already working with affected organizations and emphasized that no disruption to banking services has been identified.
Despite the financial industry’s reputation for strong cyber defenses, experts warn that reliance on third-party technology creates layers of exposure that even the largest institutions struggle to fully map.
“The SitusAMC breach is a stark reminder that the weakest links may be buried deep within the technology partnerships and vendor dependencies that fuel critical operations,” said one industry expert.
The incident, they noted, demonstrates how a single compromised service provider can trigger widespread concern across the sector.
Another specialist stressed that banks should not assume their security controls are functioning as intended and must constantly validate protections across their supply chains.
Without that vigilance, organizations can fail to detect weaknesses in their vendors’ environments until attackers exploit them.
The breach has reinforced the reality that cyber resilience in modern finance is not solely defined by internal defenses but by the collective strength of an entire network of third-party providers.