Close Menu
    NEWS

    The Company You’ve Never Heard Of That Knows Everything About Your Mortgage

    How the SitusAMC bank data breach quietly exposed Wall Street’s dependence on invisible vendors
    By 9 Mins Read

    If you’ve got a US mortgage, there’s a good chance a company you’ve never dealt with – SitusAMC – has handled your loan data. And now, the SitusAMC bank data breach has quietly turned that hidden plumbing into a front-page security problem.

    Over the past few days, major US banks including JPMorgan Chase, Citi and Morgan Stanley have warned clients that a real-estate tech vendor was hacked, and that some customer information may have been swept up in the attack.

    The twist: your bank wasn’t “hacked” – their back-end vendor was.

    Wait, who on earth is SitusAMC?

    SitusAMC isn’t a household name, but in the world of real-estate finance it’s huge.

    • It provides technology and services for commercial and residential real-estate lending.
    • It helps banks, mortgage lenders, pension funds and even government agencies manage loans, documents and compliance.
    • It claims to support over a thousand financial institutions and to handle billions of loan documents every year.

    Think of it as the outsourced back office for a huge chunk of the US mortgage system: document custody, loan accounting, collateral and asset management, automated underwriting – the unglamorous but critical stuff that keeps your mortgage “just working”.

    That’s exactly why this incident matters: when a vendor this deep in the stack gets hit, the blast radius can span multiple banks at once.

    What we know about the SitusAMC bank data breach

    Timeline and basic facts

    According to SitusAMC’s own breach notice, the company detected an incident on 12 November 2025 and later confirmed that “certain information” from its systems had been compromised.

    SecurityWeek and other outlets report that:

    • Attackers accessed corporate data tied to client relationships, including accounting records and legal agreements.
    • Some data related to clients’ customers (i.e. bank customers) also appears in the impacted files.
    • The company says there was no encrypting ransomware involved – this looks like a data-theft operation, not a smash-and-grab outage.
    • Systems are now said to be fully operational after measures like credential resets, disabling remote access tools and updating firewall rules.

    Banks themselves have started quietly warning customers. Reporting based on bank letters and briefings indicates that:

    • JPMorgan, Citi and Morgan Stanley are among the affected institutions.
    • Exposed data may include mortgage-related personal information, and potentially account-linked details, though the exact scope is still under review.
    • The FBI is involved, but investigators say there’s no current impact on banking services – your app and cards still work.

    In other words, this isn’t the kind of attack that knocks ATMs offline. It’s the quieter, more lucrative kind: steal rich data, not uptime.

    What kind of data are we talking about?

    SitusAMC says impacted files fall into a few big buckets:

    • Corporate files – legal contracts, invoices, accounting documents
    • Client files – especially those tied to its residential collateral and asset management system
    • A smaller set of other records, including loan due-diligence files in its residential business

    For an ordinary borrower, that could translate into things like:

    • Loan numbers and mortgage details
    • Property information
    • Legal paperwork linked to your loan
    • Potentially identifying information held inside those documents

    Investigators haven’t yet completed a line-by-line review of each document set, so the full picture of personal data exposure isn’t clear.

    But the direction of travel is obvious: this is not just abstract bank data – it can lead back to real people and real mortgages.

    Why this matters to you if you have a mortgage or savings

    Even if your bank says, “Our systems weren’t breached,” that doesn’t mean you’re in the clear.

    The SitusAMC bank data breach highlights a nasty reality:

    Every vendor that touches your financial data effectively becomes part of your bank’s attack surface.

    The risks for customers include:

    Targeted phishing and scams

    • Attackers armed with accurate mortgage balances, property addresses or loan dates can craft ultra-convincing phishing emails, fake refinance offers, or “arrears” notices.

    Identity and credit fraud

    • If any personally identifiable information appears in breached loan or due-diligence files, criminals can blend it with other leaks to open new accounts or hijack existing ones.

    Long-tail exposure

    • Leaked legal and accounting documents often live for years in criminal data markets, resurfacing in future scams long after the initial breach has dropped out of the news cycle.

    Meanwhile, third-party incidents are accelerating. One recent survey cited by CSO Online found that third parties accounted for 30% of data breaches in 2024, up 15% from 2023, and that nearly half of organisations experienced a third-party cyber incident in the last year.

    SitusAMC is just one example of a much larger trend.

    Not an isolated incident – Comcast, Gainsight and the vendor domino effect

    The SitusAMC bank data breach lands alongside a string of high-profile “it wasn’t us, it was our vendor” stories.

    Comcast – fined for a vendor it no longer used

    Telecoms giant Comcast is paying a $1.5 million fine after the FCC found that a 2024 breach at its former debt-collection vendor, Financial Business and Consumer Solutions (FBCS), exposed the personal data of almost 275,000 Comcast customers.

    Key points:

    • FBCS was hacked between February 14–26, 2024.
    • Stolen data included names, addresses, Social Security numbers, dates of birth and Comcast account numbers.
    • Comcast had stopped using FBCS two years before the breach but still faced regulatory heat over how its customer data was handled and disposed of.

    Result? Comcast now has to beef up vendor oversight, appoint a compliance officer and carry out regular risk assessments of third-party data handlers – a clear sign that regulators won’t accept “it was the vendor” as a get-out clause.

    Gainsight – Salesforce customers hit via a side door

    On the SaaS side, Salesforce recently confirmed “unusual activity” involving Gainsight-published apps that may have exposed customer data from its CRM platform.

    Subsequent research suggests:

    • Attackers previously stole OAuth tokens and secrets from another vendor and then abused Gainsight integrations to access Salesforce instances.
    • Google’s threat team now believes 200+ companies had Salesforce-stored data siphoned off via this route.

    Salesforce stresses that its core platform wasn’t vulnerable; the problem sat in the web of connected apps and integrations that customers rely on.

    Again, the pattern is the same:

    • The main brand says “our network wasn’t hacked”.
    • The damage still lands on their customers.
    • The root cause is trusted vendors and integrations with deep, often poorly monitored access.

    Pull SitusAMC, Comcast/FBCS and Gainsight together, and you get a clear message: attackers now hunt for the quietest, most connected partner in the chain – not the loudest logo.

    What banks and vendors need to change (yesterday)

    Incidents like the SitusAMC bank data breach make “vendor security questionnaires” look laughably shallow. Security experts quoted in coverage of the breach argue that banks need to treat vendors almost like internal business units from a risk perspective.

    Some practical shifts that need to happen:

    • Rank vendors by blast radius, not contract size
      • Who holds the most sensitive data? Who has the widest access? Those vendors should sit at the top of the risk pile, no matter how small the invoice.
    • Enforce “least privilege” for integrations
      • That means scoping APIs and SSO access to exactly what’s needed, and expiring unused tokens and logins aggressively.
    • Continuous monitoring, not annual audits
      • Look for behavioural anomalies in vendor API calls and file access. If a vendor starts bulk-pulling documents at 3am, you want alarms – and the ability to cut their access in minutes, not weeks.
    • Contractual teeth plus technical controls
      • Comcast’s FCC settlement effectively forces stronger vendor governance. Banks will likely face similar pressure to prove that vendor oversight is real, enforced and tested – not just an appendix in a contract.

    In short: if a vendor can move millions of documents, they deserve the same scrutiny as a core banking system.

    What you can do as a customer

    You can’t control who your bank uses as a vendor, but you’re not powerless. When stories like the SitusAMC bank data breach break, treat them as a prompt to tighten your own defences.

    1. Watch for ultra-convincing phishing

    Assume attackers will eventually weaponise whatever they stole.

    • Be suspicious of emails or calls that reference real loan details (exact mortgage amount, payment date, property address) and ask you to click a link or “update details”.
    • If in doubt, log in via the official bank app or website you already know, or call the number on the back of your card – not the one in the email.

    2. Lock down your credit where possible

    In the US, consider:

    • Credit monitoring (often offered after breaches)
    • Fraud alerts or credit freezes with the major bureaus if you think your identity data may be involved

    Even if the SitusAMC review later shows minimal personal data exposure, there’s no harm in levelling up your monitoring now.

    3. Ask better questions of your bank

    Next time your bank sends a bland “we take your security seriously” email, push back:

    • Which vendors had access to my mortgage data?
    • Do you maintain independent security assessments of those vendors?
    • How quickly can you cut a vendor’s access if suspicious activity appears?

    If enough customers start asking those questions, third-party risk stops being a footnote and becomes something executives actually lose sleep over.

    The real headline: your bank’s weakest link is probably off the payroll

    The SitusAMC bank data breach isn’t just another line in a breach tracker. It’s the latest proof that:

    • Your data can be at risk even when your bank’s own network stays clean.
    • Quiet, specialised vendors now sit at the heart of critical systems like mortgages, loan servicing and customer analytics.
    • Regulators are willing to fine big brands (Comcast today, maybe banks tomorrow) for third-party failures.

    If you’re a customer, assume your financial life runs through a dense mesh of third-party providers you’ve never heard of – and act accordingly.

    If you’re a bank or fintech, assume attackers already know exactly which of those providers is your softest spot.

    And if you’re a vendor handling other people’s customer data?

    Congratulations. You are now critical national infrastructure. Start acting like it.

    Share.

    Sarah Whitford writes about smart home devices, mobile technology, and everyday digital life. She specialises in short, digestible news updates that help readers stay informed without the fluff. Sarah enjoys exploring how technology fits into modern living and aims to make even the busiest readers feel up to speed.

    Related Posts