When one vendor falls: The SitusAMC breach and the growing threat of supply chain attacks

Following the Jaguar-Land Rover disaster, another cyberattack has shaken a major industry. The danger of attacks on the supply chain has never been clearer. The issue now revolves around what organizations can do to protect themselves and their supply chain partners.

Wall Street spent a tense weekend in late November 2025 when news broke that SitusAMC, a major technology vendor serving hundreds of real estate lenders across the United States, had suffered a significant cyberattack. The breach, which occurred on November 12, exposed potentially sensitive mortgage and customer data from some of America's largest financial institutions, including JPMorgan Chase, Citigroup and Morgan Stanley.

The attack on SitusAMC demonstrates how a single point of failure in the technology supply chain can create widespread risk across an entire industry. SitusAMC provides critical services such as mortgage origination, servicing and payment collection for hundreds of banks and lenders. When attackers compromised the vendor's systems, they potentially gained access to residential mortgage loan data connected to multiple major financial institutions.

The compromised information is connected to residential mortgage loans, which could include internal contracts, accounting documents, legal files and potentially mortgage application details containing borrowers' personal financial information. While SitusAMC acted quickly after discovering the attack and engaged forensic experts and federal authorities, the incident spent nearly two weeks under investigation before affected banks received notification of the potential exposure.

The FBI took charge of the investigation, with officials noting that while they found no operational disruption to the banking system itself, the breach highlighted significant vulnerabilities in how financial institutions rely on third-party supply chain partners.

The SitusAMC incident is far from an isolated case. It represents a growing trend of cybercriminals targeting the weakest links in complex business ecosystems rather than attacking well-defended primary targets directly. Nearly all of the top 100 US banks suffered at least one third-party data breach in the past year.

Supply chain attacks are increasingly dangerous for several reasons. First, they offer attackers a force multiplier effect. By compromising a single vendor that serves dozens or hundreds of clients, cybercriminals can access data from multiple organizations simultaneously with a fraction of the effort required to breach each one individually.

Second, these attacks exploit trust relationships. Organizations often grant vendors extensive access to internal systems and sensitive data because those vendors provide essential services. Once inside a vendor's environment, attackers can leverage that privileged access to move laterally into customer networks.

Third, the interconnected nature of modern business creates cascading effects. When a critical vendor is compromised, the impact ripples through entire industries. The attack on Jaguar Land Rover's systems caused production lines to stand still for nearly four weeks, with costs exceeding £50 million per week. The automotive manufacturer's shutdown threatened over 104,000 supply chain jobs in the UK alone, with one smaller supplier forced to lay off nearly half its workforce.

The retail sector has faced similar devastation. The Co-op cyberattack cost the UK retail giant $275 million in lost revenue and resulted in the theft of personal information belonging to 6.5 million current and past members. Customers faced empty shelves for weeks as stock shortages plagued stores across the country.

These examples illustrate a fundamental truth: In today's interconnected business environment, an organization's security is only as strong as its weakest supply chain partner.

The SitusAMC breach and similar incidents demonstrate that traditional cybersecurity approaches focused solely on perimeter defense are insufficient. Organizations need cyber resilience: the ability to prepare for, withstand, respond to and recover from cyberattacks while maintaining critical operations.

Cyber resilience differs from cybersecurity in its scope and philosophy. While cybersecurity aims to prevent attacks, cyber resilience assumes that some attacks will succeed and focuses on minimizing damage and ensuring rapid recovery. This distinction is critical in an era where even well-defended organizations face persistent, sophisticated threats.

For organizations of all sizes and sectors, cyber resilience encompasses several key capabilities:

Rapid detection and response: The faster an organization can identify a breach, the more quickly it can contain the damage. According to a recent report by the SANS Institute, manufacturers detect nearly half of incidents within 24 hours and contain 60% within 48 hours, but detection alone isn't enough.

Effective recovery processes: The ability to restore systems and resume operations quickly is paramount. Nearly 20% of industrial organizations that experienced cybersecurity incidents took over a month to remediate, with 3.2% requiring over a year to fully recover. With downtime costs reaching hundreds of thousands of dollars per hour, prolonged recovery threatens organizational survival.

Business continuity planning: Organizations must maintain tested backup systems, failover capabilities and documented recovery procedures. Unfortunately, while 66% of organizations maintain OT-specific backups and failover systems, only one-third test or simulate OT-specific recovery. Untested plans often fail when they're needed most.

Supply chain visibility: Understanding which vendors have access to critical systems and data is essential. Organizations should conduct thorough due diligence on vendor security practices and maintain ongoing oversight of third-party risk.

The financial consequences of inadequate resilience are severe. With median downtime costs of $125,000 per hour according to ABB, even a few days of disruption can result in catastrophic losses. Beyond immediate financial impact, organizations face reputational damage, customer trust erosion, competitive disadvantage and potential regulatory penalties.

One aspect of supply chain security that organizations often overlook is whether their vendors follow secure software development practices. When evaluating technology providers, most organizations focus on financial stability, service-level agreements and infrastructure security. Yet vulnerabilities are frequently introduced during the software development process itself, long before products reach customers.

The secure software development lifecycle (SSDLC) ensures that security considerations are embedded from the first line of code through final deployment. This includes conducting threat modeling before development begins, implementing secure coding practices with mandatory code reviews, managing third-party dependencies through software bill of materials tracking, establishing secure release pipelines with integrity checking, and maintaining coordinated vulnerability disclosure and response processes.

While the specifics of the SitusAMC attack remain under investigation and it's unclear whether weak development practices played a role in this particular incident, the broader principle remains critically important. The attack could have been related to SSDLC failures, such as unpatched vulnerabilities in custom software, compromised third-party components or inadequate security testing during development. Without visibility into how vendors build and maintain their software, organizations inherit risks that no network segmentation or perimeter defense can fully mitigate.

Regulations like the EU's NIS 2 Directive, DORA and the Cyber Resilience Act now explicitly require secure development practices from suppliers, reflecting growing recognition that software supply chain security is a systemic concern. Standards such as IEC 62443-4-1 provide frameworks for evaluating whether vendors implement rigorous secure development practices specifically designed for industrial and critical systems.

Organizations should demand evidence that their application vendors follow SSDLC best practices. This might include requesting certifications like IEC 62443-4-1 for operational technology environments or ISO/IEC 27001 for information security management. Procurement processes should include security questionnaires that specifically address development practices, code review procedures, vulnerability management processes and third-party component tracking.

Failure to ensure that supply chain partners practice secure software development can lead to exactly the type of breach that affected SitusAMC's customers. When software is developed without security as a foundational principle, vulnerabilities inevitably emerge. Those vulnerabilities create entry points for attackers seeking to exploit trusted vendor relationships and access the sensitive data of multiple organizations simultaneously.

The SitusAMC breach serves as a stark reminder that in our interconnected digital economy, organizational security extends far beyond internal defenses. Every vendor, partner and service provider in the supply chain represents both a valuable business relationship and a potential security risk.

Building cyber resilience requires a comprehensive approach that addresses people, processes and technology. Organizations must invest in robust backup and recovery capabilities, conduct regular testing of incident response plans, maintain visibility into vendor security practices and ensure that recovery can happen quickly even when IT expertise isn't immediately available.