A cyberattack on one of real estate finance’s biggest behind-the-scenes vendors has the country’s top lenders scrambling to assess their exposure.
SitusAMC, the tech and services firm embedded deep in the mortgage pipeline, disclosed this weekend that hackers accessed customer data tied to residential loan files. The breach was first reported by the New York Times.
JPMorgan Chase, Citi and Morgan Stanley were among the institutions notified that client information may have been stolen. While JPMorgan emphasized it wasn’t directly hacked, the incident underscores how much sensitive borrower data sits with third-party platforms that many lenders rely on for their mortgage businesses.
SitusAMC said the attack occurred Nov. 12 and that it has spent two weeks determining what was accessed. The firm alerted law enforcement and the FBI confirmed it is investigating.
The bureau said it has no evidence of disruptions to banking services, but banks have been receiving regular updates from SitusAMC as the company continues to sort through the fallout.
The potential exposure goes far beyond basic mortgage details.
SitusAMC handles regulatory compliance for lenders, which means its systems contain extensive nonpublic information, from Social Security numbers to internal risk assessments on banks’ commercial and residential real estate portfolios.
Industry advisers say the episode highlights the concentration risk built into modern real
estate financing. Most major lenders touch SitusAMC systems at some point in the loan process, giving the firm an unusually broad view of bank operations. One industry figure likened the company to “necessary plumbing” for the mortgage market — critical infrastructure that goes largely unnoticed until something breaks.
SitusAMC, owned by several private equity firms and employing roughly 5,000 people, has not said how many borrowers or institutions are affected.
“We remain focused on analyzing any potentially affected data,” SitusAMC chief executive officer Michael Franco said in a statement.
Read more
Commercial
Dallas
Mr. Cooper hit with second class-action suit related to data breach
Residential
Dallas
Lawsuits pile up after data breach at mortgage lender Mr. Cooper
Commercial
Los Angeles
First American suffers cyber attack, potentially delaying deals