On November 12, 2025, SitusAMC discovered unauthorized access to its IT network. The company discovered that it was a targeted data theft operation with no encrypting malware involved. Threat actors were able to access and exfiltrate certain internal and client-related data. As a third-party provider to financial institutions, the incident raised concerns about indirect exposure across banks and mortgage ecosystem partners.
On this page
Third-party ecosystems have become the primary attack vector in financial cybersecurity, as evidenced by the SitusAMC data breach in November 2025. This cybersecurity incident highlights how attackers don't hack banks themselves, but instead target vendors to gain indirect access to financial institutions, enabling the compromise and exfiltration of sensitive customer PII, and financial data. By exploiting a single point in the mortgage services supply chain, threat actors managed to steal sensitive corporate data and borrower personal information tied to over a thousand financial institutions, including JPMorgan Chase, Citi, and Morgan Stanley.
For CISOs in the financial and mortgage sectors, this data breach serves as a reality check: Any and every third-party with access to nonpublic data represents a potential attack surface, making continuous, risk-based vendor risk management a business necessity rather than an optional requirement. Simply put, the SitusAMC security breach demonstrates that resilience depends not just on internal controls, but on the security maturity of the entire supply chain.
Key takeaways for CISOs
- Third-party vendors are a primary attack vector: The SitusAMC breach highlights how attackers exploit vendors to gain indirect access to financial institutions at scale. A single vendor breach rippled across hundreds of financial institutions, exposing client data they were contractually responsible for protecting.
- Credential hygiene and remote access controls are foundational: Post-breach actions at SitusAMC (credential resets, disabling remote access tools, and tightening firewall rules), highlight how quickly these controls can erode and why they require continuous validation rather than one-time implementation.
- Vendor breach notification timelines trigger multi-party regulatory obligations: Banks that received SitusAMC's notification were immediately subject to their own 36-hour reporting requirements and state-level obligations from several United States regulatory agencies. The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Company (FDIC), and the Federal Reserve Board (FRB), which governs the Federal Reserve System in the United States, creates a cascading compliance burden.
- Consolidated visibility over vendor-managed data is non-negotiable: Continuous monitoring, dark web intelligence, and behavioral analytics are essential for detecting unauthorized data movement in and around third-party environments.
- Incident response must account for litigation risk: Eight separate class-action complaints were filed within weeks of public disclosure, emphasizing the importance of transparent, timely breach communication strategies.
SitusAMC breach: An overview and timeline
On November 12, 2025, SitusAMC, a major, New York-based technology and advisory services company providing solutions across the real estate and mortgage finance industry internationally, detected unauthorized access within its IT network, compromising their systems. The company immediately launched an investigation with the assistance of third-party forensic experts and notified federal law enforcement authorities, including the FBI.
Through its investigation, SitusAMC determined that the unauthorized third party had actively exfiltrated data from certain systems, but clarified that there were no signs of encryption or ransomware. According to SitusAMC, the impacted data includes corporate information linked to certain client engagements, such as financial records and contractual agreements, as well as certain data associated with customers of those clients. The FBI Director, Kash Patel, confirmed it was investigating and that there were no operational impact to banking services identified at that time.
Although the company detected the compromise on November 12, it started notifying customers that might have been affected on November 16, and publicly disclosed the breach to all its customers only on November 22, 2025. Three days later, SitusAMC began notifying affected clients by sending them formal letters, based on their identification of file paths associated with compromised data. The affected file paths involved:
- Files associated with its residential Collateral and Asset Management (CAM) system.
- Corporate files that generally include legal contracts and accounting documents.
On December 9, 2025, it announced that its investigations found that the threat actors had not accessed (or even attempted to access) the emBTRUST or ProMerit applications. By December 29, 2025, SitusAMC confirmed that the forensic investigation was closed and that the threat actors had been eradicated from the environment with no evidence of ongoing persistence.
On January 14, 2026, a federal judge in New York consolidated eight class-action lawsuits against SitusAMC Holdings Corp for the data breach. By February 12, 2026, SitusAMC started sending consumer notification letters (to the ones whose PII and/or confidential information were leaked) ahead of schedule, and on March 17, 2026, it confirmed that the data review process was complete, with all required consumer notifications made.
Though their investigations are complete, SitusAMC has not disclosed how many were affected, how the breach occurred, if they were contacted by the threat actors, or if they have even identified who they were. However, the security hardening measures that were taken after the breach were reported as:
- Implementing credential resets
- Disabling remote access tools
- Updating firewall rules
- Enhancing security settings
Figure 1: SitusAMC breach attack timeline
The Financial Industry Regulatory Authority (FINRA) also issued a cybersecurity alert to its member firms, since many of them use banks that in turn rely on SitusAMC's services, creating a fourth-party risk exposure. FINRA's recommendations include member firms engaging directly with their banking vendors to determine whether their data was potentially impacted, and following the NIST CSF 2.0 framework to monitor and mitigate such incidents.
Best practices for third-party and supply chain risk management
Here are some best practices for CISOs to manage and mitigate vendor risk based on recommendations from the New York State Department of Financial Services (NYDFS), and the NIST CSF 2.0 framework:
- Establish governance and executive accountability: Define a formal third-party risk management (TPRM) program aligned with enterprise risk management. Ensure senior leadership maintains oversight, with clearly defined roles, responsibilities, and accountability that cannot be delegated to vendors.
- Perform rigorous due diligence: Assess vendor cybersecurity posture, financial stability, regulatory exposure, and supply chain dependencies before onboarding. Validate the integrity of their products and services, including risks introduced by subcontractors (fourth parties).
- Enforce strong contractual security controls: Embed cybersecurity requirements into contracts, including access controls (for example, adaptive MFA, principle of least privilege and just-in-time access for all users), regular credential rotation, network segmentation, encryption standards, breach notification timelines, audit rights, data handling restrictions, and subcontractor transparency.
- Ensure visibility into supply chain dependencies: Maintain awareness of downstream (fourth-party) relationships and assess risks across the broader supply chain ecosystem, not just direct vendors.
- Adopt a risk-based vendor classification model: Maintain a comprehensive inventory of third parties and classify them based on criticality, level of access, data sensitivity, and business impact. Prioritize high-risk vendors for deeper scrutiny and controls.
- Implement continuous monitoring and risk assessment: Move beyond periodic reviews to continuous monitoring of vendor security posture, vulnerabilities, and anomalous activity. Regularly reassess risks and ensure timely remediation of identified gaps.
- Integrate vendors into incident response and resilience planning: Include third parties in incident detection, response, and recovery processes. Ensure clear communication protocols, coordinated response actions, and alignment with business continuity plans.
- Build and test a vendor breach response playbook: Develop a dedicated vendor breach response playbook specifying roles, escalation paths, and pre-drafted notification templates aligned with OCC/FDIC/FRB, NYDFS, CISA, and Federal Trade Commission (FTC) reporting timelines, and validate it regularly through tabletop exercises involving legal, compliance, risk, IT, and communications teams.
- Secure the full vendor life cycle, including offboarding: Enforce strict access controls throughout the engagement and ensure secure termination by revoking access, retrieving or destroying data, and validating that no residual connections remain.
- Continuously improve and mature TPRM practices: Incorporate lessons learned from incidents, audits, and testing into the TPRM program. Progress toward a more adaptive, intelligence-driven model with real-time risk visibility and proactive mitigation.
Effective third-party risk management requires combining regulatory rigor with risk-based adaptability, ensuring that vendor ecosystems are continuously assessed, governed, and secured as an extension of the enterprise.
How can SIEM and IAM solutions help prevent breaches
A SIEM solution with integrated UEBA, DLP, and dark web monitoring capabilities helps financial institutions and their vendors detect anomalous user and entity behavior indicative of unauthorized access or data exfiltration. This includes indicators such as unusual file access, off-hours activity, or access from unfamiliar geolocations, enabling detection before data leaves the environment. It can correlate authentication events, file access activity, and network behavior across on-premises and cloud environments to surface early warning signs of lateral movement or privilege escalation. Dark web monitoring capabilities enables proactive defense by detecting leaked credentials and corporate data before threat actors deploy it in subsequent attacks.
An IAM solution strengthens security by enforcing MFA across all access points, including remote access tools, VPNs, and external-facing portals. It also applies the principle of least privilege so users can only access the data and systems required for their roles. It provides centralized visibility over identity and access activity across the enterprise, making it possible to detect anomalous access patterns, revoke permissions dynamically, and maintain auditable records of who accessed what data and when. This helps reduce the blast radius of supply chain breaches.
Frequently asked questions
SitusAMC is a New York-based financial services and technology firm that supports the commercial and residential real estate finance and mortgage industry. It provides advisory, due diligence, data, and operational services to banks, mortgage lenders, asset managers, and institutional investors that rely on it to manage and process real estate-related financial data. It serves approximately 1,500 clients, including many of the largest U.S. banks, mortgage lenders, pension funds, and government entities, and processes billions of loan-related documents annually.
The breach impacted corporate data including accounting records and legal agreements, and borrower and consumer PII from SitusAMC's residential CAM and loan due diligence systems. Compromised data might have included names, addresses, dates of birth, driver's license numbers, Social Security numbers, and financial account information.
There is no confirmed evidence that JPMorgan Chase, Citigroup, or Morgan Stanley were directly hacked. However, they were among the financial institutions notified by SitusAMC that their data might have been affected as a result of the breach. According to multiple sources, including CNN, the banks in question declined to comment.
No. SitusAMC confirmed that no encrypting malware was involved. The company suffered a stealthy data exfiltration attack.
SitusAMC initiated incident response procedures, including securing affected systems, resetting credentials, restricting access, and enhancing security controls. The company also engaged external cybersecurity experts, and notified federal law enforcement, to investigate the incident and began notifying affected clients in line with regulatory and contractual obligations.
According to multinational law firm Ropes & Gray, banks must notify their primary federal regulator within 36 hours under OCC/FDIC/FRB rules. NYDFS-regulated entities have a 72-hour window. GLBA/FTC Safeguards Rule entities must notify the FTC within 30 days. State breach notification laws apply varying timelines on top of these federal obligations.
Related solutions
ManageEngine AD360 is a unified IAM solution that provides SSO, adaptive MFA, UBA-driven analytics, and RBAC. Manage employees' digital identities and implement the principle of least privilege with AD360.
To learn more,
Sign up for a personalized demoManageEngine Log360 is a unified SIEM solution with UEBA, DLP, CASB, and dark web monitoring capabilities. Detect compromised credentials, reduce breach impacts, and lower compliance risk exposure with Log360.
To learn more,
Sign up for a personalized demoThis content has been reviewed and approved by Ram Vaidyanathan, IT security and technology consultant at ManageEngine.