Major banks face data exposure after cyberattack on SitusAMC mortgage vendor

SitusAMC, a Houston-based technology vendor providing services to real estate lenders across the United States, is reporting a cyberattack on November 12, 2025, that potentially compromised sensitive client data belonging to major financial institutions including JPMorgan Chase, Citigroup, and Morgan Stanley. 

The company manages over $1.5 trillion in assets under servicing and holds vast troves of personal information on clients of hundreds of banking institutions. The company spent nearly two weeks assessing the full extent of the compromised data before notifying affected institutions on November 22, 2025.

The breach potentially exposed the following types of sensitive data:

• Social Security numbers
• Loan details and financial histories
• Accounting documents and records
• Legal contracts and agreements
• Personal information from mortgage loan applications
• Residential mortgage data
• Financial details tied to mortgage servicing
• Proprietary trading strategies and credit risk models

The number of affected individuals and the nature of the attack are not disclosed. Sources familiar with the matter indicate that the breach potentially affects millions of people who have applied for or hold mortgage and commercial real estate loans. 

The FBI's cyber division is leading the investigation. Major banks scrambled into damage-control mode over the weekend following notification. JPMorgan Chase started forensic reviews and notifying affected clients and Citigroup and Morgan Stanley issued internal alerts to compliance teams. The incident has triggered urgent assessments across the financial sector and raised questions about third-party vendor vulnerabilities in financial services. 

Regulatory scrutiny from the Federal Reserve and Office of the Comptroller of the Currency appears inevitable, as banks face potential fines if oversight lapses are uncovered under guidelines like SR 13-19 governing third-party risk management.