“I am convinced that there are only two types of companies: Those that have been hacked and those that will be.” — Former FBI Director Robert Mueller

Hackers are back sniffing around mortgage-land & this time they didn’t hit a big servicer or a flashy title giant. They went after something far more dangerous: a boring-as-drywall vendor that quietly runs the pipes for a huge portion of the industry. When the “unsexy” infrastructure gets popped, that’s when you should really worry.

SitusAMC reported a major cyberattack on Nov. 12 & has spent the past 2 weeks determining what exactly was taken, according to the NYT. Details are scarce, but the data exposed was related to resi mortgages. JPMorgan Chase, Citi & Morgan Stanley are among those that have been notified by SitusAMC that their client data may have been taken, the NYT reported. SitusAMC notified all of its residential mortgage customers that they may be affected but doesn’t yet know the full extent of the breach, according to sources.

(🙏 If you like what you’re reading, tell a fellow mortgage junkie to sign up here.)

The average consumer hasn’t heard of SitusAMC, but they’re quietly a massive player in the mortgage space. They provide loan origination, servicing, & regulatory compliance services to major lenders & handles loads of sensitive personally identifiable information (PII). Most of the top mortgage banks & servicers are clients.

Private equity-owned SitusAMC said that no encrypting malware was involved, which suggests that the hackers focused on data exfiltration rather than ransomware deployment. SitusAMC said that it implemented several security measures following the incident, including credential resets, disabling remote access tools, updating firewall rules, & enhancing security settings. The incident is now contained & services remain fully operational.

The hope is that this is an isolated incident (you’ll definitely want to read the article below this one 👇).

If you’re experiencing a bit of deja vu, it’s because in late ‘23/early ‘24 Mr. Cooper Group, loanDepot, First American and Fidelity National Financial (parent of servicer LoanCare), all had to temporarily shut down their systems to contain similar cyberattacks that collectively exposed data of tens of millions of customers. loanDepot & Mr. Cooper each estimated total losses from the hack at more than $30M.

The SitusAMC breach underscores growing 3rd-party cyber risks in financial services. Vendor-related incidents are up 15% year-over-year & nearly half of financial services firms experienced 3rd party cybersecurity incidents last year, according to Venminder’s “State of Third-Party Risk Management 2025” survey.

When a mortgage tech vendor gets hit by a breach, the reputational fallout can be just as damaging as the direct financial loss. LOS/underwriting & doc processing vendors are a particular cybersecurity risk. They have access & store a lot of sensitive personally identifiable information & also integrate into lenders' systems. Because they move fast, they might cut corners on security or have legacy interfaces. Loan servicing/payment & portfolio management vendors are in the same boat.

This is the type of incident that keeps mortgage executives awake at night. I’d bet that most lenders—if they haven’t already—will soon be scrutinizing their vendors’ cybersecurity protocols…

If you’ve been reading The Scoop, you already know what you’re getting: real reporting, deep sourcing, & stories nobody else in mortgage media is touching. We’ve exposed shady lender tactics, examined ICE’s hate-love relationship w/ mortgage, broken dozens of tech stories, dug into UWM’s correspondent play, Rocket’s retail strategy & much more.. Founding Members get the full Monday/Wednesday/Friday edition—scoops, analysis, sourcing, & context you will not find anywhere else—plus early access to new features.

If you rely on The Scoop to stay sharp, informed, & ahead, this is your chance to support independent, scoop-driven mortgage journalism. Founding Members pay $20/month. Sign up for a 2-week free trial today.

While I was reporting the SitusAMC story, a source texted me a link to a purported cybersecurity news website that claimed Black Knight/ICE had been hacked over the weekend. The report, authored by Web Pro News’ Andrew Cain, claims that Black Knight’s MSP platform experienced outages & issues over the weekend b/c of a hack.

Cain wrote that Black disclosed a data breach on its status page, stating that “certain services are experiencing an outage due to a cybersecurity incident.” The outlet also said that ICE issued a statement saying that the company is “actively investigating & working to restore services as quickly as possible.” Rocket & UWM supposedly also changed workflows & “federal regulators are circling.”

Except none of that happened.

ICE called me Monday afternoon to say the article is 100% made-up. Sources at federal regulators & the 2 identified mortgage lenders also said what was described in the article did not happen…

“None of those things happened, and none of those things are true,” an ICE spokesperson said. “This is very perplexing…There's been no MSP cyber attack, everything in that one article that was published is false & seems completely made up. So we're trying to get to the bottom of where this came from.”

My guess is that either a short seller is involved or the SitusAMC hackers are sending some kind of message to ICE (like it’s the plot to a Batman 🦇 movie). It’s bizarre.

Some lenders are getting really aggressive on VA & FHA loans, offering rates in the 4s & low 5s through a combination of points & the borrower paying high origination charges, one branch manager in the Northeast told The Scoop.

“Saw a CD from PennyMac today for a VA IRRL refi at 4.875%. Borrower paying a $5100 origination charge plus almost 1 point,” he noted. “I’m seeing other advertisements of very low government rates, but the APR is the tell that there are tons of points and fees baked in.”

Even on purchase loans, the branch manager said he’s seeing really low rates being offered. But there’s a catch. “When you see the LE or the fine print there are tons of points & fees included,” he said. “I guess it is just another way to drum up business.”

A federal judge on Monday dismissed the mortgage fraud case against NY AG Tish James, finding that prosecutor Lindsey Halligan did not have lawful authority to present the indictment.

Chances are the Trump administration will retry this one, but as we’ve reported previously, it isn’t the strongest case to begin with…

(🙏 If you like what you’re reading, tell a fellow mortgage junkie to sign up here.)