US Banks Assess Data Loss After Hackers Breach Fintech Firm

A recent cyber incident involving a New York-based fintech firm, SitusAMC, has drawn significant attention because several major banks, including JPMorgan Chase, Citigroup, and Morgan Stanley, are now evaluating what customer information may have been taken.

Early statements indicate that some corporate materials connected to client relationships were stolen, but the full scope of the theft remains unknown, writes Zack Whittaker of TechCrunch. The intrusion is contained, according to the company, but it has not provided verified details about the volume or type of affected data.

SitusAMC operates as a large-scale technology and services provider to mortgage lenders, commercial real estate financiers, pension funds, and government entities. Because of its role supporting compliance, documentation, and processing functions, it manages extensive volumes of sensitive loan-related material and operational records.

Public descriptions of its business indicate that it processes billions of loan documents annually. Its broad customer base means that any breach may involve multiple organizations that rely on its systems for regulated workflows.

Reports from Bloomberg and CNN state that SitusAMC has notified affected financial institutions. The specific contents of the notifications have not been publicly released.

The company has acknowledged that hackers removed certain accounting records and legal agreements. The attackers did not deploy encryption malware, suggesting an intent to extract information rather than disrupt operations.

Banks have largely declined to comment, and there is no verified information regarding ransom demands or direct communication between the attackers and any financial institution. In a statement, FBI director Kash Patel said the bureau “remains committed to identifying those responsible and safeguarding the security of our critical infrastructure.”

Legal teams monitoring this situation, especially those with fintech firms, may wish to review notification timelines and the allocation of cybersecurity responsibilities in vendor contracts. A good look at third-party oversight measures, particularly where intermediaries support regulated activities, might also be merited.