In This Article
- SitusAMC: When JPMorgan's Mortgage Data Sat on Someone Else's Server
- Marquis Software: One Unpatched Firewall, 74 Financial Institutions
- ConnectWise: The MSP Platform Breached Twice in 15 Months
- FTC Safeguards Rule 314.4(f): Your Vendor's Patch Failure Is Your Compliance Failure
- Breaking the Third Link: Eliminating the MSP Supply Chain
- Frequently Asked Questions
On November 12, 2025, SitusAMC quietly disclosed a cyberattack. The vendor had not been ransomed. Nothing had been encrypted. There had been no dramatic shutdown. Attackers had simply walked in, copied residential mortgage loan data belonging to JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of smaller banks and credit unions, and walked out.
This is Part 3 of a four-part series tracking the modern cyber kill chain against credit unions, banks, and mortgage companies. In Part 1: The Leak in the Shadows, stolen credentials and social-media reconnaissance built the target profile. In Part 2: The Perfect Phish, adversary-in-the-middle phishing kits defeated standard MFA and harvested live session tokens. Now the attack chain reaches past your firewall, past your conditional access policies, past your Secure Score, into the vendors, platforms, and service providers that touch your data every day.
The 30% figure looks like a statistic until you sit with what it means for a 50,000-member credit union or a $2B community bank. It means that roughly one in three breach-notification letters your institution will ever send is going to be triggered by something that happened outside your perimeter. Your patching, your phishing-resistant authentication, your 24/7 SOC, your audited compliance program. None of it stopped the breach, because the breach was at your vendor.
SitusAMC: When JPMorgan's Mortgage Data Sat on Someone Else's Server
SitusAMC provides mortgage servicing technology and outsourced loan operations to some of the largest financial institutions in the United States. Their client list reads like a roll call of American banking: JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of smaller community banks and mortgage companies that rely on SitusAMC for valuation, due diligence, and loan servicing.
In November 2025, all of those institutions sent breach notifications. None of them had been hacked directly.
SitusAMC: The Quiet Exfiltration
A cyberattack on SitusAMC exposed residential mortgage loan data, including borrower files, closing documents, and valuation reports, for JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of additional banks, credit unions, and mortgage companies. The attackers did not deploy ransomware. They did not encrypt systems. They exfiltrated mortgage records and left. The "smash and grab" pattern meant detection took weeks. By the time SitusAMC notified its clients, the data was already monetized on criminal markets.
Sources: Reuters, CSO Online, SecureWorld
JPMorgan Chase spends roughly $15 billion a year on technology. Its security organization is among the most sophisticated in the financial sector. None of that mattered when the breach was at its vendor. The mortgage records that ended up on a criminal market were copied off SitusAMC's servers, not JPMorgan's. That distinction does not change the borrower's experience when they receive the notification letter, the regulatory exposure for JPMorgan, or the dollar cost of credit monitoring and litigation that follows.
For community banks and credit unions that share SitusAMC as a vendor, the math is even more sobering. JPMorgan can absorb a vendor breach. A $400M community bank with thin compliance staffing cannot easily absorb $5M in notification costs, regulatory examination follow-ups, and reputational damage from a vendor breach it had no operational ability to prevent.
Marquis Software: One Unpatched Firewall, 74 Financial Institutions
Three months before SitusAMC, a different kind of supply chain attack hit the financial sector. Marquis Software Solutions, a fintech vendor that provides core technology services to more than 700 banks and credit unions across the United States, was breached in August 2025. The vector was prosaic: an unpatched firewall.
Marquis Software: The One-to-Many Compromise
A ransomware group exploited CVE-2024-40766, a critical vulnerability in SonicWall's SonicOS SSLVPN access control. The vulnerability had been public since August 2024 with patches available. Marquis had not applied them. The attackers used the bypass to access client data pipelines and exfiltrate sensitive personal information (Social Security numbers, bank account numbers, dates of birth, taxpayer identification numbers) for 780,000+ individuals across 74 financial institutions. Breach notification letters filed with state attorneys general listed dozens of banks and credit unions that shared the same vendor and the same unpatched firewall.
Sources: BleepingComputer, TechRadar, Infosecurity Magazine, state attorney general filings
Security researchers call this pattern one-to-many compromise. The attacker does not need to breach 74 separate institutions, defeat 74 separate MFA implementations, or bypass 74 separate security operations centers. They breach one shared vendor and inherit the access that 74 institutions trusted that vendor with. The economics are inverted: one moderately competent ransomware crew can produce the same data theft outcome as 74 nation-state operations.
For each of those 74 financial institutions, the post-breach experience was identical to a direct attack. State attorney general notifications. Letters to every affected member, customer, or borrower. Multi-year credit monitoring. Examination scrutiny. Class action exposure. None of those 74 institutions could have prevented the breach. Their security controls were operating perfectly. The vulnerability was in their vendor's infrastructure.
The cascade pattern above is not a hypothetical. It is the actual breach notification fanout from a single August 2025 incident. Read the lesson honestly: a single vendor's patch hygiene determined whether 74 institutions sent customer letters that month.
Key Takeaway
Two breaches, two months apart, exposed an inconvenient truth about modern vendor architectures: a financial institution's effective attack surface is the union of its own controls and every vendor's controls. Marquis and SitusAMC did not fail at unusual things. They failed at routine things, namely patching a known vulnerability and monitoring an outbound data flow, and dozens of their financial-institution clients absorbed the consequences.
ConnectWise: The MSP Platform Breached Twice in 15 Months
The Marquis and SitusAMC stories describe vendors that handle your data. The ConnectWise story describes something more dangerous: a vendor that handles your management. ConnectWise ScreenConnect is the remote-access and management platform that thousands of managed service providers (MSPs) use to monitor, patch, and administer their clients' endpoints. If your MSP runs on ConnectWise, your endpoints answer to ConnectWise's authentication and authorization layer, whether you know it or not.
ConnectWise was breached twice in 15 months.
| ConnectWise Breach #1 (February 2024) | ConnectWise Breach #2 (May 2025) | |
|---|---|---|
| Attack Vector | Authentication bypass vulnerability CVE-2024-1709 (CVSS 10.0, maximum severity) | Nation-state actor compromised ConnectWise's own corporate environment |
| Time to Exploitation | Active exploitation within 48 hours of public disclosure | Unknown dwell time prior to detection |
| Threat Actors | Play and LockBit ransomware groups | Unnamed nation-state actor (Mandiant engaged) |
| Downstream Impact | MSP-managed institutions worldwide; one finance company's SAN encrypted by Play ransomware | "Very small number" of ScreenConnect customers directly breached |
| ABT Client Exposure | Zero. ABT does not use ConnectWise. | Zero. ABT does not use ConnectWise. |
The February 2024 breach turned ScreenConnect's authentication layer into a free pass. Within two days of CVE-2024-1709 going public, Play and LockBit ransomware operators had weaponized it. Any MSP running ScreenConnect on a perimeter-exposed instance was potentially compromised, and every financial institution that MSP managed was a downstream target. Patching was a race, and not everyone won it.
Fifteen months later, in May 2025, the platform itself was breached, this time by a nation-state actor that compromised ConnectWise's own corporate network and used that foothold to target ScreenConnect customers directly. ConnectWise engaged Mandiant for incident response and disclosed that a "very small number" of customers were affected. The phrasing was deliberately vague; the implication was not. A platform that thousands of MSPs treat as trusted infrastructure was an active battleground for nation-state operations.
ConnectWise was breached twice in 15 months. Once by ransomware groups exploiting a CVSS 10.0 authentication bypass, and once by a nation-state actor compromising the platform directly. The MSP platform your institution depends on is the platform attackers target.
The pattern repeats across the MSP-platform category. Kaseya VSA was exploited in July 2021 in a supply chain attack that affected more than 1,500 downstream businesses. SolarWinds Orion was used as a delivery mechanism for the Sunburst nation-state campaign in 2020. N-able and similar platforms have each had their own disclosed incidents. The platforms are not failing because their engineers are negligent. They are failing because any platform that aggregates remote management access for thousands of organizations is a high-value target by definition. The math favors the attacker every time.
Native Microsoft 365 management eliminates the MSP-platform layer entirely. Microsoft Intune handles device enrollment and patch deployment. Microsoft Defender for Endpoint handles endpoint detection and response. Microsoft Entra ID handles identity and access. Microsoft Sentinel handles SIEM and SOC analytics. Microsoft Defender for Identity handles lateral-movement detection inside the tenant. Every management function that ConnectWise, Kaseya, or N-able provide for an MSP is available natively inside Microsoft 365 itself, with security controls audited under Microsoft's SOC 2 Type II program rather than a third-party MSP platform vendor's. ABT manages 750+ credit unions, banks, and mortgage companies on this architecture with zero ConnectWise, zero Kaseya, zero SolarWinds, zero N-able. When ConnectWise was breached in February 2024 and again in May 2025, ABT client exposure was zero on both events. Not reduced. Zero.
Microsoft 365 admin center; Microsoft Service Trust Portal SOC 2 reports.
FTC Safeguards Rule 314.4(f): Your Vendor's Patch Failure Is Your Compliance Failure
The 2021 amendments to the FTC Safeguards Rule, fully effective for covered financial institutions, codified what supervisors had been suggesting for years. Vendor security is no longer a polite request. It is a regulatory expectation with enforcement teeth.
FTC Safeguards Rule ยง 314.4(f): Service Provider Oversight
Covered financial institutions must (1) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue, (2) require service providers by contract to implement and maintain those safeguards, and (3) periodically assess the service providers based on the risk they present and the continued adequacy of their safeguards. State financial regulators, such as NCUA for federally chartered credit unions, OCC for nationally chartered banks, and FDIC for state nonmember banks, have layered on examination expectations that mirror or exceed the FTC standard.
The Marquis breach is the prototypical Safeguards Rule failure scenario regulators had in mind. An unpatched SonicWall firewall at a third party exposed 780,000+ individuals across 74 institutions. The downstream institutions did not breach. The vendor did. But under 314.4(f), each of those 74 institutions is now accountable for explaining to its primary regulator how it selected Marquis, what diligence it performed on Marquis's security program, what contract terms it had in place, and how it periodically assessed Marquis against the standard. "We trusted them" is not an answer.
Regulatory expectations now extend beyond questionnaires. Examination teams increasingly want to see:
What examiners are asking for
- Inventory. A documented list of every service provider with access to nonpublic personal information, mapped to the specific data elements each provider can touch.
- Tiered diligence. Diligence depth scaled to risk, not a single questionnaire applied uniformly to a payroll processor and a core platform vendor.
- Contract evidence. Executed contract language requiring SOC 2 Type II attestations, breach notification timelines, right-to-audit clauses, and termination rights for security failures.
- Continuous monitoring. Evidence that vendor security is reviewed between annual cycles, not just at onboarding and renewal.
- Incident playbook integration. Vendor breach scenarios incorporated into the institution's incident response plan, with documented coordination procedures.
None of this is hypothetical. The Marquis breach generated multi-state attorney general inquiries and direct examination follow-ups for the 74 affected institutions. Several state regulators have signaled that future examinations will probe third-party risk management programs as a standard examination module, not a corner case.
Breaking the Third Link: Eliminating the MSP Supply Chain
Most third-party risk management advice focuses on the periphery: vendor questionnaires, contract clauses, periodic audits. Those controls are necessary. They are also, demonstrably, insufficient. No vendor questionnaire would have caught the unpatched SonicWall at Marquis before the ransomware group did. No SOC 2 report would have surfaced the ConnectWise platform compromise before Mandiant did.
The most effective way to reduce supply chain risk is to reduce the supply chain itself.
Pure Microsoft stack, no third-party MSP platforms. ABT manages Microsoft 365 tenants for 750+ credit unions, banks, and mortgage companies without ConnectWise, Kaseya, SolarWinds, N-able, Datto RMM, or NinjaOne. Every management function those platforms provide, including remote monitoring, patch management, endpoint detection, and identity governance, runs natively through the Microsoft ecosystem. When ConnectWise was breached in February 2024 and again in May 2025, ABT client exposure was zero on both events.
Microsoft Defender for Identity. Detects lateral movement inside the Microsoft 365 environment. When an attacker who has compromised a vendor's account begins moving laterally, by accessing SharePoint sites it has never touched, downloading from other users' OneDrives, or querying Entra ID for privileged role membership, Defender for Identity surfaces the behavior pattern as a high-priority alert.
Continuous Access Evaluation. Microsoft Entra ID session tokens are no longer valid until they expire. When risk signals change, with signals like impossible travel, sign-in from a new country, or a sudden burst of high-volume data access, the token is revoked in near real time. Even if an attacker has captured a session token from a supply chain compromise, the token becomes invalid the moment the behavior looks anomalous.
Conditional Access boundaries on vendor identities. Vendor accounts do not get blanket access to your tenant. ABT configures Conditional Access policies that restrict vendor sessions to specific applications, specific source IP ranges, and specific time windows. A vendor that needs access to your email migration project does not also get access to the SharePoint container holding borrower files.
M365 Guardian. ABT's continuous Microsoft 365 security posture program monitors the telltale signs of a supply chain compromise inside your tenant, including sign-in anomalies, external sharing exposure, MFA coverage gaps, and configuration drift. Cross-client visibility across 750+ financial institutions means an attack pattern detected at one institution becomes a detection signal for every other institution in the portfolio.
Kill Chain Status: Part 3 of 4
Recon > Phish [ >>> BREACH >>> ] Heist
The stolen credentials from Part 1 were weaponized into AiTM phishing in Part 2. Vendor and platform compromises in Part 3 extended the breach beyond your perimeter. In Part 4: The Quiet Intruder, the attacker turns access into money: wire fraud, persistence, and the regulatory aftermath that follows.
Is your vendor stack a Safeguards Rule liability?
ABT's third-party risk assessment for financial institutions shows you exactly where the regulatory and operational risk lives:
- Complete inventory of vendors with access to nonpublic personal information, mapped to data elements
- Risk analysis of every MSP-platform exposure in your stack (ConnectWise, Kaseya, SolarWinds, N-able)
- Gap analysis against FTC Safeguards Rule 314.4(f) and your primary regulator's examination expectations
- Migration roadmap to pure Microsoft management that eliminates the MSP-platform supply chain
Frequently Asked Questions
In November 2025, mortgage services and technology vendor SitusAMC disclosed a cyberattack that exposed residential mortgage loan data, including borrower files, closing documents, and valuation records, for JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of additional banks, credit unions, and mortgage companies that relied on SitusAMC for outsourced loan operations. The attackers did not deploy ransomware; they exfiltrated data and left, in a "smash and grab" pattern that delayed detection by weeks. Each affected institution had to issue its own breach notifications despite none of them having been breached directly.
In August 2025, a ransomware group exploited CVE-2024-40766, a critical SonicWall SonicOS SSLVPN authentication bypass that had been public since August 2024 with patches available. Marquis Software Solutions, a fintech serving 700+ banks and credit unions, had not applied the patch. Attackers used the bypass to reach client data pipelines and exfiltrated Social Security numbers, bank account numbers, and taxpayer IDs for more than 780,000 individuals across 74 financial institutions. The pattern is what security researchers call "one-to-many" compromise: one vendor breach replicates into dozens of downstream institutions. Each affected institution had to file state attorney general notifications and notify every affected customer despite operating their own security controls correctly.
The 2021 amendments to the FTC Safeguards Rule require covered financial institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards, to require those safeguards by contract, and to periodically assess service providers based on the risk they present and the continued adequacy of their controls. Examination teams at NCUA, OCC, FDIC, and state regulators have layered on expectations that include documented vendor inventories with data-element mapping, tiered diligence scaled to vendor risk, executed contract language with SOC 2 attestation and breach notification provisions, continuous monitoring between annual cycles, and vendor breach scenarios integrated into incident response plans. A vendor's failure to patch a known vulnerability, like the SonicWall at Marquis, becomes the downstream institution's compliance failure when the institution cannot evidence adequate oversight.
MSP platforms aggregate remote management access for thousands of downstream client environments. Compromise one platform and you inherit the access that every MSP using it was trusted with by every institution it serves. ConnectWise ScreenConnect was breached through a CVSS 10.0 authentication bypass (CVE-2024-1709) in February 2024 and compromised again by a nation-state actor in May 2025. Kaseya VSA was used in a July 2021 supply chain attack that affected more than 1,500 businesses. SolarWinds Orion delivered the Sunburst nation-state campaign in 2020. For credit unions, banks, and mortgage companies, the risk is that their MSP's platform vulnerability becomes their data breach, regardless of their own security posture. The economics favor the attacker: one platform compromise produces many institution breaches.
Every third-party MSP platform in a security stack, including ConnectWise, Kaseya, SolarWinds, N-able, and Datto RMM, adds attack surface that the financial institution does not directly control. Removing those platforms by handling remote management, patch deployment, endpoint detection, identity governance, and SIEM natively through Microsoft Intune, Microsoft Defender for Endpoint, Microsoft Entra ID, and Microsoft Sentinel eliminates the MSP-platform supply chain. ABT manages Microsoft 365 tenants for 750+ credit unions, banks, and mortgage companies on this architecture. When ConnectWise was breached twice in 15 months, once by ransomware groups in February 2024 and once by a nation-state actor in May 2025, ABT client exposure was zero on both events. The security control set is audited under Microsoft's SOC 2 Type II program rather than a third-party MSP platform vendor's.
Start with a documented inventory of every vendor that has access to member, customer, or borrower data, mapped to the specific data elements each vendor can touch. Apply tiered diligence: a payroll processor and a core platform vendor do not get the same questionnaire. Reduce the count of platforms in the management stack. Every MSP platform eliminated removes one supply chain attack surface. Evaluate whether the MSP platform itself can be replaced with native Microsoft 365 management. Tighten Conditional Access policies so vendor identities are restricted to specific applications, source IP ranges, and time windows. Require executed contract terms aligned with FTC Safeguards Rule 314.4(f). Treat continuous monitoring of vendor security as routine, not annual. Integrate vendor breach scenarios into the incident response plan with documented coordination procedures.