The SitusAMC data breach has banks scrambling to assess the damage. The hack has hit big banks like JP Morgan, Citi, and Morgan Stanley as client data has allegedly been pilfered. Reportedly, the breach was uncovered on November 12th, and the Federal Bureau of Investigation is currently investigating the incident.
SitusAMC is a real estate finance firm that combines data and technology to support financing for commercial and residential properties. The company enabled over $20 billion in originations in 2024.
SitusAMC has posted a “data breach” page outlining how its systems were attacked. According to the company, data was compromised, but “the scope, nature, and extent of such impact remain under investigation by the company and its third-party advisors.” Accounting and legal agreements have apparently been stolen.
The company claims that the damage has now been contained and they are fully operational, and providing full service to their customers.
Martin Greenfield, CEO at Quod Orbis – a continuous compliance firm highlighting cyber risks, says that it is essential to point out that the SitusAMC incident, above anything else, is a visibility failure.
“Based on what we know, it looks like SitusAMC didn’t have entire real-time insight into what was happening inside its vendor ecosystem, and when a provider supports some of the world’s biggest financial institutions, one breach can quickly cascade across multiple giants at once. Regulators under DORA, NIS2, and the UK’s operational resilience rules have been warning about exactly this scenario,” says Greenfield.
He claims that vendor breaches are predictable, and the real challenge is to understand what was accessed and trade where the data came from and where the copies may reside. Most firms do not have full data lineage across their supply chain, which slows down response times and increases impact.
“There’s also a persistent gap between what banks think their vendors hold and what vendors process. When your data footprint is bigger than your visibility, incidents like this become almost inevitable which should act as a wake-up call for organisations in any industry. Being able to demonstrate trust and assurance is a step change to simply declaring that data is being protected.”