Some of the nation’s biggest banks were scrambling on Saturday night to assess the fallout from a large-scale hack of a vendor whose compromise could expose sensitive customer data.
The vendor, SitusAMC, has been deployed by hundreds of banks and other lenders to help originate and collect money from real estate loans and mortgages. The company confirmed on Saturday that it had been the subject of a cyberattack on Nov. 12 and that it had spent the better part of two weeks trying to determine exactly what data had been taken.
The data exposed was related to residential loan mortgages, the company said.
JPMorgan Chase, Citi and Morgan Stanley are among those that have been notified by SitusAMC that their client data may have been taken, according to five people who were briefed on the hack but who were not able to discuss it publicly.
Representatives for those banks would not comment on their exposure. A JPMorgan spokesman said the bank had not been hacked directly.
SitusAMC’s chief executive, Michael Franco, said in a statement on Saturday that the company had notified law enforcement.
“We remain focused on analyzing any potentially affected data,” he said.
Kash Patel, the director of the Federal Bureau of Investigation, said in a statement: “While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services.”
Cybersecurity breaches are not uncommon in the business world, but this incident has raised particular concern on Wall Street because SitusAMC holds a huge collection of personal data found on loan applications, including Social Security numbers. The company has been sending near-daily updates to banks as it tries to determine the extent of the information exposed.
SitusAMC, based in New York, has around 5,000 employees and is owned by several private equity firms.
“If you go down the top 20 banks, if you make commercial real estate and residential loans, you probably have a relationship with Situs,” said Jon Winick, the chief executive of Clark Street Capital, a firm that advises lenders. “It’s necessary plumbing for the commercial and residential real estate market. They do a lot of important but nonsexy things.”
Among the services SitusAMC offers is regulatory compliance — the boring but essential work of making sure its customers’ loans comply with a plethora of state and federal regulations.
That means it has extensive nonpublic information on the banks’ internal workings. For instance, it could have information on the risks in lenders’ real estate holdings, said Jason E. Kuwayama, a lawyer who specializes in regulatory issues for banks.
“You can’t look at this breach as just the nonpublic information of the banks’ customers,” he said. “It could include very sensitive information about the banks themselves and their portfolios.”
Rob Copeland is a finance reporter for The Times, writing about Wall Street and the banking industry.
The post A Swath of Bank Customer Data Was Hacked. The F.B.I. Is Investigating. appeared first on New York Times.
