Recommended reading

Bug at compliance firm Vanta exposed customer data to other users

News
By published

Vanta says it is already addressing the issue

Data leak
(Image credit: Shutterstock)
  • Vanta admits it introduced a bug in its code
  • The bug resulted in a small subset of customers having data exposed
  • The error is being fixed, and affected customers notified

Security and compliance automation company Vanta has confirmed sharing sensitive customer data with other customers by mistake.

In a statement (via TechCrunch), the company said a change it had made in the code resulted in a breach which saw some sensitive data from a small subset of customers shared with other customers.

The incident was spotted on May 26, and remediation efforts are currently underway, with the process set to finish by June 4.

Hundreds of victims

“On May 26, we identified a product code change that resulted in a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers," Jeremy Epling, Chief Product Officer at the company, told TechRadar Pro in a statement.

"The incident was not security related and did not involve API keys, credentials, or an intrusion. In total, fewer than 4% of Vanta customers were impacted. Upon identification of this issue, the change was rolled back and remediation started immediately. We will complete remediation by June 4."

"All impacted customers were notified and Vanta’s customer support teams are addressing customer questions and requests. We are standing by to provide further support for customers."

"To prevent an incident like this in the future, we are updating our third party integrations API and improving our access control testing.”

Since the company has more than 10,000 customers, that would put the breach at up to 400.

At the same time, the data breach notification letter Vanta sent out says that the data typically includes employee names, roles, and information about different tools, such as 2FA. The company did not confirm exactly what type of data was grabbed.

Vanta is a security and compliance automation platform that helps businesses achieve and maintain certifications like SOC 2, ISO 27001, HIPAA, and GDPR more efficiently through continuous monitoring and integrations.

Among its customers are Atlassian, Omni Hotels, Quora, and ZoomInfo.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.