SitusAMC Breach: Mortgage Services Firm Hacked for 7 Days

Mortgage Services Giant SitusAMC Breached -- Attackers Operated for a Week Inside Its Network

SitusAMC Holdings Corporation, a major provider of outsourced services to mortgage lenders and financial institutions, disclosed a data breach after an unauthorized third party spent seven days inside its IT network acquiring data. The breach, which occurred between November 12 and November 19, 2025, exposed names, addresses, dates of birth, and Social Security numbers of individuals whose mortgage data SitusAMC processes on behalf of its financial institution clients.

SitusAMC is not a household name, but its reach in the mortgage industry is substantial. The Houston-based company provides due diligence, valuation, securitization support, and compliance services to banks, mortgage lenders, and investors. When SitusAMC gets breached, the downstream impact hits borrowers who may have no idea their mortgage servicer shares data with a third-party operations firm.

How the Attack Unfolded

On November 12, 2025, SitusAMC detected unauthorized access to certain systems within its IT network. The company launched an investigation with third-party forensic experts and notified law enforcement. Despite the detection, the attacker maintained access and continued acquiring data through November 19, 2025 -- a full week of dwell time after initial detection.

That seven-day window between detection and containment is a significant detail. It suggests either the attacker had established persistence mechanisms that took time to identify and remove, or that SitusAMC's containment response was not fast enough to cut off data exfiltration while the investigation was still underway.

The notification letter does not specify the initial access vector -- no mention of phishing, vulnerability exploitation, or compromised credentials. The California AG filing categorizes it as an external system breach (hacking). Without more technical detail, it is impossible to assess whether this was an opportunistic attack or a targeted operation against a company known to hold large volumes of mortgage-related PII.

What Data Was Compromised

SitusAMC confirmed that the following data types were potentially involved:

Names -- identifying individuals tied to mortgage transactions
Addresses -- current or historical residential addresses from mortgage files
Dates of birth -- a key input for identity verification and credit applications
Social Security numbers -- the primary identifier used in mortgage underwriting and tax reporting

The notification notes that "not all data elements were involved for each individual," meaning some affected borrowers may have had only a subset of these fields exposed. The company has not disclosed the total number of affected individuals -- a notable omission in the California filing, which does not always require a specific count.

The combination of name, DOB, and SSN is sufficient for synthetic identity fraud, new account openings, and tax return fraud. For mortgage borrowers specifically, this data could be used to attempt unauthorized property transactions, fraudulent payoff requests, or social engineering attacks against their mortgage servicers.

SitusAMC's Role in the Mortgage Ecosystem

SitusAMC operates as a critical infrastructure provider in the mortgage industry. The company offers:

Due diligence services -- reviewing loan files for quality, compliance, and risk during origination and securitization
Valuation services -- property appraisals and automated valuation models
Securitization support -- preparing loan pools for sale into the secondary market
Compliance services -- regulatory reporting and quality control

These functions require access to complete borrower files: names, SSNs, property addresses, income documentation, credit reports, and loan terms. SitusAMC is the type of vendor that sees everything in a borrower's mortgage file -- and the breach notification confirms that at least PII-level data was in scope.

For the financial institutions that use SitusAMC's services, this breach is another example of how third-party vendor risk translates directly into customer data exposure. The Towne Mortgage breach and the Evolve Mortgage Services incident both involved mortgage industry participants where vendor or operational failures led to borrower data exposure.

The 77-Day Notification Timeline

November 12, 2025 -- Unauthorized access detected
November 19, 2025 -- Attacker access terminated (7 days)
January 28, 2026 -- Notification letters sent to affected individuals (70 days after containment)

Total: 77 days from detection to notification.

The notification timeline is within the range most state AGs accept, though the 70-day gap between containment and notification suggests the forensic review and data-matching process took significant time. For a company that processes mortgage data for multiple financial institutions, determining which borrowers were affected and tracing them back to the correct lender clients is a complex data reconciliation exercise.

California law requires notification "in the most expedient time possible and without unreasonable delay." SitusAMC's 77-day timeline is faster than many recent breaches tracked in FinSecLedger's breach database, but the multi-state notification suggests a large geographic footprint of affected individuals.

Remediation for Affected Individuals

SitusAMC is offering affected individuals 24 months of identity protection services through IDX, including:

Credit monitoring and CyberScan monitoring
$1,000,000 insurance reimbursement policy
Fully managed identity theft recovery services

The enrollment deadline is April 28, 2026. Affected individuals can enroll at app.idx.us/account-creation/protect using the enrollment code from their notification letter, or call (844) 814-3163 for assistance.

The 24-month monitoring window and $1 million insurance policy are at the higher end of standard remediation packages -- consistent with the sensitivity of the exposed data and the company's likely cyber insurance coverage through a national carrier.

Regulatory and Legal Implications

As a mortgage industry services provider, SitusAMC operates in a heavily regulated space. Several regulatory considerations apply:

State regulators. SitusAMC filed notifications across at least ten states, including New York, which has some of the most stringent breach notification requirements. The NYDFS Cybersecurity Regulation (23 NYCRR 500) requires covered entities to notify DFS within 72 hours of determining a cybersecurity event has occurred. If any of SitusAMC's financial institution clients are NYDFS-regulated, those institutions may face their own reporting obligations.

CFPB oversight. The Consumer Financial Protection Bureau has authority over mortgage servicers and related service providers. If SitusAMC is considered a "service provider" under Dodd-Frank, the CFPB could examine the company's data security practices and its contracts with financial institution clients.

GLBA Safeguards Rule. Financial institutions that share borrower data with SitusAMC are responsible under GLBA for ensuring their service providers maintain appropriate safeguards. The seven-day attacker dwell time after detection raises questions about whether SitusAMC's security controls met the standards its clients were contractually obligated to require.

Class action exposure. Mortgage borrowers whose SSNs and DOBs were exposed will have standing to pursue class action claims. The fact that borrowers likely had no direct relationship with SitusAMC -- and may not have known their data was shared with the company -- adds a consumer protection dimension to any litigation.

Lessons for Mortgage Lenders and Servicers

This breach hits at the core of a structural problem in the mortgage industry: the extensive sharing of borrower PII with third-party due diligence, valuation, and compliance vendors. Most borrowers sign consent forms during the loan application process that authorize this sharing, but few understand the extent of the vendor ecosystem their data enters.

The Marquis Software Solutions breach showed how a vendor compromise can cascade across dozens of financial institutions. SitusAMC occupies a similar position in the mortgage supply chain -- a single point of failure that, when breached, exposes borrowers across multiple lender clients.

Action Items for Mortgage Industry Participants

Identify your exposure. If your institution uses SitusAMC for due diligence, valuation, securitization support, or compliance services, determine whether your borrower data was included in the breach. Contact SitusAMC's legal team at the address provided in the notification (5065 Westheimer Rd., Suite 700E, Houston, TX 77056).
Review vendor data-sharing agreements. What data elements does SitusAMC receive from your institution? Is the scope limited to what is necessary for the contracted service? Mortgage due diligence may require full loan files, but marketing or compliance functions may not need SSNs.
Assess your GLBA vendor management obligations. Under the Safeguards Rule, your institution is responsible for the security of borrower data held by service providers. Document your due diligence process for SitusAMC, including security assessments, contractual requirements, and right-to-audit provisions.
Prepare for regulatory inquiries. Bank and credit union examiners from the OCC, FDIC, Federal Reserve, and NCUA will reference this incident when evaluating your institution's third-party risk management program. Ensure your vendor management files are current and demonstrate ongoing oversight, not just point-in-time due diligence.
Communicate proactively with affected borrowers. If your institution's borrowers were impacted, consider direct outreach beyond what SitusAMC provides. Borrowers who hear from their lender -- not just an unfamiliar vendor -- are more likely to take protective action.