Real estate lender tech provider SitusAMC has confirmed it suffered a cyberattack on November 12 that impacted the sensitive personal information of clients of hundreds of some of the nation’s biggest banks, including JPMorgan Chase.
The data exposed was related to residential mortgages. JPMorgan Chase, Citi, and Morgan Stanley are among those that have been notified that their client data may have been taken.
In a statement, the company said: “Corporate data associated with certain of our clients’ relationships with SitusAMC, such as accounting records and legal agreements, has been impacted. Certain data relating to some of our clients’ customers may also have been impacted. The scope, nature, and extent of such impact remain under investigation by the Company and its third-party advisors.”
Upon becoming aware of the incident, SitusAMC said it began an investigation with the assistance of leading experts. It also notified and continues to cooperate with federal law enforcement authorities and has started taking measures to assess and contain the incident.
“The incident is now contained, and our services are fully operational. No encrypting malware was involved.
We are in direct, regular contact with our clients about this matter. We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses,” SitusAMC added.
“The Company and its third-party advisors are working around the clock on our investigation, and we will provide another update as we have more information to share and as appropriate.”
Start Auditing Vendor Security Postures
Michael Bell, Founder & CEO of Suzu Labs, says: “SitusAMC proves that Wall Street’s hundreds of millions spent on bank cybersecurity is irrelevant when a third-party vendor holding SSNs, mortgage applications, and regulatory compliance data gets compromised.”
He added that the malefactors bypassed JPMorgan, Citi, and Morgan Stanley’s defenses entirely by hitting the shared services provider with access to all their customer data.
“Pentesting offers a lens inside these third-party environments and the lack of controls protecting customer data is shocking. Organizations need to start auditing vendor security postures with the same rigor they apply to their own perimeters.”
Significant, Widespread Third-Party Risk
Damon Small, Board of Directors, at Xcape Inc, adds that this incident highlights the significant and widespread third-party risk that major US financial institutions like JPMorgan Chase, Citi, and Morgan Stanley are currently exposed to.
“Despite claims of containment, the breach resulted in the confirmed exfiltration of highly sensitive residential mortgage data, including Social Security numbers and private real estate holdings, all valuable targets for identity theft.”
Small says it also confirms that the security of financial service providers is only as strong as the weakest link within their specialized fintech supply chain. “Under regulations like GLBA, banks are ultimately accountable for protecting client data across their entire vendor network, necessitating the immediate implementation of Zero Trust principles for all third-party access.”
“Banks should treat this breach as if client data has been exposed by immediately activating dark-web monitoring, placing fraud alerts, and closely monitoring for unauthorized changes of address and wire instructions within their mortgage and servicing systems. Lenders also need to immediately rotate tokens and credentials for SitusAMC integrations, implement stricter least-privilege access controls, and enforce breach-notification service-level agreements and data minimization practices through contractual obligations,” Small explains.
“Regulators will be expecting concrete evidence of third-party risk management, including vendor audits, immutable backups, and well-tested incident response playbooks that cover the entire lifecycle of loan origination, servicing, and secondary market data flows. Wall Street learned the hard lesson again: In the modern financial supply chain, the security of a bank’s information assets is only as effective as the least-protected mortgage application.”
Adopt an “Assume Breach” Mindset
Piyush Pandey, CEO at Pathlock says there’s a need for organizations to adopt an “assume breach” mindset — not only in theory but in practice, especially for those providing services to financial institutions and other critical infrastructure organizations.
“That means investing not just in preventive measures, but also in controls that enable rapid detection, containment, and remediation of attacks. This approach helps limit the scale of a breach and supports faster recovery.”
Delivered as a Commodity
Dave Tyson, Chief Intelligence Officer at iCOUNTER adds that third parties have always been a desirable target for cyber criminals, although as a vector in enabling targeted attacks they were rarer because they required deep knowledge of internal systems, executive profiles, business system connections, and IT infrastructure to be highly effective.
“Now, AI is making this level of targeting available to a much broader class of threat actors who can profile, conduct reconnaissance, and launch a sophisticated, cost-effective targeted attack with precision and speed. What was once limited by manual capacity and expertise is now able to be delivered as a commodity ranked by likelihood of successful compromise, maintaining anonymity, and value of the breach.”
Tyson says this new capability available at scale to cyber criminals requires defenders to rethink their approach to protecting their attack surface, and to consider their entire connected ecosystem of third parties and supply chain in their monitoring or active compromises. “Being able to alert when key third parties are at risk or actively compromised creates the time to counter the threat within your environment; this requires knowledge of what data is held by the third party, the extent to which you are reliant on that third party for critical business operations, and the nature of the connection between the organizations and the extent the compromise of the third party could lead to a compromise of your environment.”
Lost data lasts forever, Tyson says. “It can give visibility beyond the account information of a customer, provide understanding into how an organization classifies information, normal nomenclature, and operational norms, that can be used later in a separate type of attack; organizations are often limited by how fast they can change technology, infrastructure, and operating structures making some data highly value as a roadmap to illuminate internal process. Individual data can be combined with information from other sources to provide a treasure trove of ill-gotten intelligence for cyber criminals to utilize over years to come.”
Reset Access Credentials Immediately
Agnidipta Sarkar, Chief Evangelist at ColorTokens says the breach should be of significant concern to firms on Wall Street because of interconnectedness of data flows. “Typically, accounting records and legal agreements contain system architecture diagrams, data-sharing clauses, SLAs, or references to internal tools which could be goldmines for attackers planning follow-on intrusions. If credentials are stolen, then there is potential of lateral movement at each of the firms who use the app, unless they have adequately designed microsegmentation or if they use cryptographic password less credentials tied to associated hardware. Though currently unknown there could also be an impact on investors if their credentials are lost. The other fallout could be regulatory scrutiny, depending on how the details of the breach evolve in the next few days.”
Sarkar adds that the first thing that potentially affected enterprises should do is to reset access credentials immediately, where practically possible, especially with third-party suppliers. “Then they should review the fallout of this breach to determine if they need to enhance, or adopt, a breach ready approach using microsegmentation and just-in-time cryptographic authentication, especially to isolate suppliers and customers from other critical systems.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.