Some of the nation's largest banks, including JPMorgan Chase, Citi, and Morgan Stanley, spent the end of November 2025 assessing exposure after a significant cyberattack on SitusAMC, a major technology and services vendor in the mortgage and real estate finance ecosystem. SitusAMC confirmed that a cyberattack hit it on 12 November 2025 and that it has spent nearly two weeks determining which information was accessed. According to a statement posted on its website, the company identified "data relating to some of our clients' customers may also have been impacted," including information connected to residential mortgage loans.
The scope is still emerging, but the implications are profound: SitusAMC's technology is embedded across hundreds of banks, lenders, and financial institutions nationwide. The attack on SitusAMC underscores an increasingly unavoidable reality for financial institutions: third-party vendors remain among the most persistent and targeted sources of cyber risk.
Third parties accounted for 30% of data breaches in 2024, a 15% increase from the prior year, according to Venminder's State of Third-Party Risk Management 2025 survey. Nearly half of organizations experienced a third-party cybersecurity incident in the past year alone.
Piyush Pandey, CEO of Pathlock, says this incident reinforces the need to fully adopt an assume-breach operating model. "This breach underscores the need for organizations to adopt an 'assume breach' mindset, not only in theory but in practice," Pandey says. "That means investing not just in preventive measures, but in controls that enable rapid detection, containment, and remediation. This is what limits the scale of a breach and supports faster recovery."
Historically, deeply targeted attacks through third parties were difficult to execute. They required extensive manual reconnaissance, an intimate understanding of a vendor’s internal systems, and deep knowledge of data flows between organizations. Dave Tyson, Chief Intelligence Officer at iCOUNTER, says AI-driven targeting tools now allow threat actors to scale sophisticated attacks with unprecedented precision. "AI is making this level of targeting available to a much broader class of threat actors," Tyson explains. "What was once limited by manual capacity and expertise is now able to be delivered as a commodity ranked by likelihood of successful compromise, ability to maintain anonymity, and value of the breach."
Tyson warns that security teams need to understand not only what data vendors hold, but also operational dependencies, authentication flows, and how a third-party compromise could enable lateral movement. He adds that the long-term danger is often underestimated. "Lost data lasts forever. It can provide a roadmap to illuminate internal processes, operational norms, and how an organization classifies information—intelligence that attackers can use for years to come." SitusAMC plays a foundational role in the mortgage and real estate finance ecosystem, providing loan servicing, valuation, analytics, compliance technology, and asset management services. That level of integration means the breach could have cascading effects.
Agnidipta Sarkar, Chief Evangelist at ColorTokens, says that interconnected data flows are a significant area of concern for banks. "The breach should be of significant concern to firms on Wall Street because of the interconnectedness of data flows," he said. "Accounting records and legal agreements often contain architecture diagrams, SLAs, or references to internal tools that could be goldmines for attackers planning follow-on intrusions."
Sarkar notes that if credentials are stolen, lateral movement is a real possibility unless firms are already using well-designed microsegmentation or hardware-bound passwordless authentication. He adds that regulatory scrutiny is likely as more information becomes public.
What impacted firms should do now - While the full scope is still coming into focus, experts agree on several immediate steps:
- Reset access credentials. Prioritize credentials shared with or used by third-party platforms.
- Conduct a rapid third-party exposure assessment. Identify what systems rely on SitusAMC and what customer data was shared.
- Review segmentation and authentication architecture. Micro segmentation and hardware-bound cryptographic credentials can limit lateral movement.
- Strengthen breach detection and containment controls. Pandey emphasizes that "assume breach" is an operational model, not a slogan.
- Monitor for follow-on intrusions and fraud. Mortgage data is highly valuable for identity theft, account takeover, and long-tail intelligence operations.
The SitusAMC breach is a reminder that financial institutions remain deeply dependent on their vendors and that those vendors are increasingly in the crosshairs. With AI accelerating attackers' capabilities and third-party incidents rising sharply, organizations must elevate their approach to assessing and defending their interconnected environments. As Tyson noted, the real danger isn't just the data stolen today, it is the intelligence attackers can weaponize for years to come.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments