SitusAMC is gearing up for a legal battle over the fallout of its data breach last fall, as eight class action complaints have been consolidated in federal court. 

The cases quickly piled up after the industry vendor revealed in November that it suffered a cybersecurity incident. The company has emphasized no encryption nor malware was involved, but it has revealed few details of the hack which reportedly affected major bank partners. 

The Manhattan-based firm provides commercial and residential real estate partners, among other financial players, with loan-level data used in securitization, collateral and diligence workflows.

JPMorganChase customer Armen Kelechian sued SitusAMC in November for negligence, accusing the vendor of failing to protect his personally identifiable information. His complaint suggests that at least hundreds of thousands of individuals nationwide were impacted by the incident. 

The plaintiff, who indicated he's seeking at least $5 million in damages, did not name JPMorganChase as a defendant. SitusAMC has not disclosed how many people, or counterparties, were affected by the breach, as other companies sometimes detail in notices to state attorneys general offices. 

In a continually updated statement on its website, SitusAMC briefly described the data the unknown culprit compromised, including some customer records. 

"Corporate data associated with certain of our clients' relationship with SitusAMC such as accounting records and legal agreements has been impacted," the statement read. 

The company as of Dec. 29 said its forensic investigation was completed, the incident had already been contained, and it was working to assess the extent of compromised PII. 

A spokesperson for SitusAMC said Thursday that the company is unable to comment on pending litigation.

"SitusAMC remains focused on working closely with clients as we continue to review the data," the statement read. "We will be communicating directly with clients as we determine the exact nature of the data belonging to them that was affected."

Both an attorney for plaintiffs and a spokesperson for JPMorganChase also declined to comment on the lawsuit and breach.

Data breach lawsuits plague lender, vendor victims

Kelechian's suit blames SitusAMC for the diminished value of his PII, and argues the company could have prevented the breach by properly protecting its servers. His complaint also seeks to certify a subclass of California victims harmed under a state consumer protection law. Those are familiar requests by plaintiffs in the plethora of data breach lawsuits which typically slam lenders following incidents.

Companies are hesitant to disclose many details of a hack, notably the number of consumers affected, although they sometimes make revealing admissions in defense of consumer lawsuits. 

Union Home Mortgage, fighting a spate of class action complaints over a June incident, recently admitted to paying a ransom to cybercriminals to delete sensitive information they held ransom. Flagstar, in approaching finalizing a $31.5 million settlement with customers, also previously admitted to paying a $1 million bitcoin ransom to wipe customer data in a 2021 incident.