Major Bank Client Data May Be Exposed in Vendor Hack
Client records for JPMorgan Chase, Citi and Morgan Stanley may have been accessed in a cyberattack on a New York based vendor for real estate lenders, raising fresh concerns about third party risk in banking. The vendor says it contained the incident and that critical services remain operational, yet regulators and customers will be watching for the scope and fallout.
A technology vendor that serves real estate lenders said it was the target of a cyberattack that may have exposed client related data for several major banks, including JPMorgan Chase, Citi and Morgan Stanley, according to reporting by the New York Times and the vendor's own statement. SitusAMC, based in New York, said the breach occurred on November 12 and that it had compromised certain information from its systems.
SitusAMC acknowledged that some corporate records tied to its clients had been affected, naming accounting documents and legal contracts among the material accessed. "Data relating to some of our clients' customers may also have been impacted," the company said on its website, and it added that it had notified law enforcement. SitusAMC chief executive Michael Franco told the New York Times that the company remained focused on analyzing any potentially affected data.
The vendors role as a data processor for lenders means the incident risks exposing detailed loan level information as well as ancillary paperwork that can include personally identifiable information. The New York Times reported that client data for several large financial firms may have been accessed, though SitusAMC did not identify specific institutions in its public notice. JPMorgan Chase, Citi and Morgan Stanley did not immediately respond to requests for comment.
Federal authorities are involved in assessing the incident. FBI Director Kash Patel said in a statement, "While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services." Reuters could not immediately reach the FBI for additional comment.
SitusAMC said the incident had been contained and that its services were fully operational, and it emphasized that no encrypting malware was involved. The company did not quantify the number of records or the precise types of customer information that may have been exposed, leaving questions about scale and sensitivity unanswered.
The episode underscores how the financial industry remains vulnerable through its reliance on third party vendors that hold or process sensitive client data. Cybersecurity experts caution that attackers often target intermediaries to gain broad access to multiple institutions at once, and regulators in the United States have increasingly focused on vendor risk management as a supervisory priority.
For consumers and corporate clients the principal immediate concerns are potential identity theft, fraudulent use of financial information and a longer term risk of targeted scams that can follow a breach. For the banks involved the incident could prompt expedited reviews of contractual safeguards, notification obligations and potential legal liability depending on what data is confirmed as exposed.
Regulators and lawmakers will likely press for detailed audits and may demand corrective measures to shore up protections at affected vendors. In the near term investigators from law enforcement and the vendor are expected to continue forensic work to determine the breadth of the compromise and to inform notification and remediation steps for affected customers.
