NEW YORK — Some of the nation’s largest financial institutions spent the weekend attempting to figure out the effect of a sweeping cyberattack on a major loan-processing vendor whose systems contain highly sensitive personal and financial data.
At this point it’s unknown how many total financial institutions were involved or how many bank customers/CU members’ data could be affected moving forward.
SitusAMC, a New York–based firm used widely across the mortgage and real estate finance sector, confirmed on Saturday it was breached by a cyberattack on Nov. 12. The company told the New York Times it has spent nearly two weeks determining what information was taken, acknowledging that the compromised data involves residential mortgage records — which typically include Social Security numbers, income documentation and other nonpublic personal information.
Vendor Serves Hundreds of Lenders, Including Credit Unions
SitusAMC’s services span loan origination, servicing and regulatory compliance for hundreds of banks, nonbank lenders and others that rely on the firm’s solutions to keep residential and commercial real estate lending operations running. Because of that wide reach, the Times noted the breach poses potential risks not only to major Wall Street institutions but also to anyone whose loans were processed or serviced through the vendor.
JPMorgan, Citi and Morgan Stanley Notified
At least three major institutions — JPMorgan Chase, Citi and Morgan Stanley — were notified that their client data may have been compromised, according to people briefed on the incident who were not authorized to speak publicly, the Times reported. None of the banks said their own systems were breached. A JPMorgan spokesperson emphasized in a statement to the Times that the bank had not been hacked directly.
Company, FBI Investigating
Michael Franco, SitusAMC’s chief executive, said the company has notified law enforcement and is continuing to review the affected data. “We remain focused on analyzing any potentially
Concerns Rise Over Depth of Data Exposure
While cybersecurity breaches are common, this incident has drawn heightened concern because of the volume and sensitivity of data SitusAMC holds, according to the Times analysis. As every credit union lender knows, mortgage applications typically include Social Security numbers, addresses, dates of birth, financial statements and employment histories — all coveted by cybercriminals for identity-theft schemes.
The company also maintains extensive nonpublic information on its customers’ internal operations. That includes details on lenders’ real estate portfolios and risk exposures, Jason E. Kuwayama, a regulatory lawyer, told the Times. “You can’t look at this breach as just the nonpublic information of the banks’ customers,” he said. “It could include very sensitive information about the banks themselves and their portfolios.”
A Critical Back-Office Provider
SitusAMC employs about 5,000 people and is owned by several private-equity firms. Its role in the mortgage ecosystem — though largely invisible to consumers — is substantial.
“If you go down the top 20 banks, if you make commercial real estate and residential loans, you probably have a relationship with Situs,” Jon Winick, chief executive of Clark Street Capital, told the New York Times. “They do a lot of important but nonsexy things.”
