SitusAMC Supply Chain Breach Hits JPMorgan, Citi, Morgan Stanley

• .What: Mortgage tech vendor breached in pure data exfiltration - no ransomware deployed.
• .Who: Clients including JPMorgan Chase, Citigroup, Morgan Stanley affected.
• .Data: SSNs, financial details, accounting records, legal agreements.
• .Response: FBI investigation active.

Between November 2025 and early 2026, an unknown threat actor gained access to SitusAMC's internal systems and conducted a prolonged data exfiltration operation.

SitusAMC is a New York-based mortgage technology and analytics vendor that processes sensitive financial data on behalf of major Wall Street institutions - a position that made it a high-value supply chain target.

The attacker operated undetected for multiple months, systematically extracting Social Security numbers, financial records, accounting documents, and confidential legal agreements tied to client relationships with JPMorgan Chase, Citigroup, Morgan Stanley, and other major banks.

The breach was a pure data theft operation - no ransomware was deployed, no systems were encrypted, and no extortion demand was publicly reported. This pattern is consistent with threat actors who prioritize stealth and long-term access over immediate monetization.

The multi-month dwell time indicates that SitusAMC's network monitoring and data loss prevention controls failed to detect anomalous data movement at scale. The FBI opened an active investigation into the incident.

The full scope of affected individuals has not been publicly disclosed, but the nature of SitusAMC's business - processing mortgage origination data including borrower identities, financial profiles, and property records - suggests that hundreds of thousands of individuals may be impacted across the client base.

• .Social Security numbers for mortgage borrowers - potentially hundreds of thousands of individuals
• .Detailed financial records including loan origination documents, appraisal reports, and underwriting files
• .Accounting records and internal financial statements
• .Confidential legal agreements between SitusAMC and its Wall Street clients
• .Internal correspondence reflecting scope of work for JPMorgan Chase, Citigroup, Morgan Stanley

• .Sustained exfiltration without detection - multi-month dwell time indicates failures in network monitoring
• .Absence of data loss prevention controls - DLP not configured to detect bulk extraction
• .Vendor access segmentation failures - single compromise accessed data from multiple bank clients
• .Supply chain amplification - single point of compromise cascaded across entire client base

• .Gramm-Leach-Bliley Act (GLBA) - material non-compliance with Safeguards Rule
• .SEC Cybersecurity Disclosure Rules - materiality threshold likely met for affected banks
• .State Breach Notification Laws - SSNs trigger notification in all 50 states
• .OCC and Federal Banking Regulators - likely to trigger vendor oversight examinations

1. Client Data Segmentation - Each bank's data in separate environments

2. Data Loss Prevention at Scale - Monitor all egress points for SSN/financial data

3. Network Detection and Response - Detect anomalous exfiltration within hours, not months

4. Bank-Mandated Vendor Security Audits - Direct assessment beyond SOC 2 Type II reports

TechRepublic, CSO Online, Cybernews, Yahoo Finance