Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Fintech data breach affects several large U.S. financial institutions. SitusAMC, a major fintech provider serving over 1,500 clients, disclosed a data breach that compromised corporate records and customer information tied to several U.S. banks. The November attack exposed accounting records, legal documents, and potentially sensitive customer data from SitusAMC’s systems. The company is still assessing the full scope of what was taken and how many banks are affected. The incident highlights how deeply vendor breaches can ripple through the financial sector and reinforces the need for continuous monitoring of third-party partners.
Comcast fined for vendor data breach. Comcast will pay a $1.5 million FCC fine after a February 2024 vendor data breach. The breach exposed personal and financial data of nearly 275,000 Comcast customers. It impacted 4.2 million people overall. A consent decree required Comcast to strengthen vendor oversight, improve data disposal practices, conduct biennial vendor risk assessments, appoint a compliance officer, and file regular reports with the FCC. While Comcast denies wrongdoing, the case underscores the high stakes of third-party risk management and the importance of monitoring vendors even after relationships end. Your organization is still responsible for your vendor’s failures.
Vendor data breach impacts OpenAI. OpenAI paused its use of analytics vendor Mixpanel after a breach in Mixpanel’s systems exposed limited profile data for some API users — though ChatGPT users and core OpenAI systems were not affected. The compromised data included names, emails, locations, browser details, and user or organization IDs. OpenAI removed Mixpanel from production, notified impacted users, and warned about phishing risks. While no passwords, API keys, or sensitive content were exposed, the incident underscores growing concerns about third-party security in AI ecosystems as providers rely on external analytics and integrations.
Bank and credit union data compromised in third-party breach. Dozens of banks and credit unions were impacted by a third-party breach, affecting the sensitive data of at least 400,000. The August 2025 incident exposed names, contact details, dates of birth, Social Security numbers, and account information. The marketing vendor launched a forensic investigation, notified law enforcement, and began informing affected institutions in late October.
Managing fintech partnership risks. Community bank–fintech partnerships offer big opportunities but come with equally big compliance expectations. Regulators are clear that banks can outsource activities, but never the risk. Experts stress that data security is the top concern. Banks must ensure vendors protect customer information as rigorously as they do internally, while also upholding consumer protection, BSA/AML, and fair lending requirements. Real-time information sharing, thorough due diligence, and clear contract language is critical for managing these partnerships.