Several of the nation’s biggest financial institutions are evaluating the potential consequences of a sweeping data breach involving SitusAMC, a major firm that manages critical mortgage-related services, according to reporting from The New York Times.
The company, which supports lenders with tasks such as loan setup, regulatory oversight, and transaction handling, disclosed that it suffered a cyber incident on November 12.
For nearly two weeks, staff have been analyzing what information was accessed, and the firm confirmed that the compromised material relates to residential mortgage files.
SitusAMC has notified multiple prominent banks — including JPMorgan Chase, Citi, and Morgan Stanley — that some of their customer information may have been exposed, five individuals familiar with the situation told the NYT.
None of the banks commented on what specific data might be at risk. A representative for JPMorgan emphasized that the bank itself was not breached. In a statement released Saturday, SitusAMC Chief Executive Michael Franco said law enforcement agencies were alerted.
“We remain focused on analyzing any potentially affected data,” he said. FBI Director Kash Patel noted that the bureau is in contact with the impacted organizations.
“While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services,” Patel said.
Related story: UK Unveils Tough New Cybersecurity Laws to Shield Public Services from Growing Digital Threats
Concerns Over the Scope of Exposed Information
The incident has triggered substantial alarm across major lenders because SitusAMC maintains extensive stores of private borrower information, including Social Security numbers submitted through mortgage applications.
As the review continues, the company has reportedly been issuing regular status updates to the institutions it serves.
Headquartered in New York, SitusAMC has a workforce of roughly 5,000 and is backed by several private equity investors.
Industry analysts say its broad involvement in the real estate financing ecosystem makes the breach particularly worrisome.
Jon Winick, chief executive of Clark Street Capital, told the NYT, “If you go down the top 20 banks, if you make commercial real estate and residential loans, you probably have a relationship with Situs…
It’s necessary plumbing for the commercial and residential real estate market. They do a lot of important but nonsexy things.”
Experts also warn that the fallout may extend beyond consumer records.
Jason E. Kuwayama, a regulatory attorney cited by the NYT, cautioned, “You can’t look at this breach as just the nonpublic information of the banks’ customers,” adding, “It could include very sensitive information about the banks themselves and their portfolios.”
Read next: US, UK, and Australia Target Russian Tech Companies Tied to Ransomware Operations