Major US banks are assessing potential exposure after New York-based real estate finance vendor SitusAMC disclosed a cyberattack that compromised corporate records and may have affected customer information.

SitusAMC said it discovered unauthorised access on 12 November and has since contained the incident, with services fully operational. In a public statement, the company said “corporate data associated with certain of our clients’ relationship with SitusAMC such as accounting records and legal agreements has been impacted. Certain data relating to some of our clients’ customers may also have been impacted.” It added: “We remain focused on analyzing any potentially affected data,” and noted the incident did not involve encrypting malware.

JPMorgan Chase, Citi and Morgan Stanley have been notified by the vendor that client data may have been taken, according to reports from the New York Times and CNN. A JPMorgan spokesperson told the New York Times the bank had not been hacked directly. The banks declined to comment to Reuters.

SitusAMC said it is working with external experts and law enforcement, including the Federal Bureau of Investigation. Michael Franco, SitusAMC’s chief executive officer, said in a statement to the New York Times: “We remain focused on analysing any potentially affected data,” confirming that law enforcement had been notified.

FBI director Kash Patel said in a statement reported by multiple outlets: “While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services.” He added: “We remain committed to identifying those responsible and safeguarding the security of our critical infrastructure.”

The company’s customer letter dated 22 November reiterated that “our systems and services are fully operational” and that it had “taken measures to further secure our systems” including credential resets, disabling remote access tools, updating firewall rules, and enhancing certain security settings. The investigation into which services and products were affected remains ongoing.

Security specialists highlighted the risk of third-party dependencies in financial services. Munish Walther-Puri, head of critical digital infrastructure at cybersecurity firm TPO Group, told CNN: “The SitusAMC breach is a stark reminder that the weakest links may be buried deep within the technology partnerships and vendor dependencies that fuel critical operations.”

SitusAMC, which serves hundreds of lenders and handles loan origination and compliance services, said it is providing regular updates directly to clients and will share further information as appropriate.

---