- Vanta admits it introduced a bug in its code
- The bug resulted in a small subset of customers having data exposed
- The error is being fixed, and affected customers notified
Security and compliance automation company Vanta has confirmed sharing sensitive customer data with other customers by mistake.
In a statement (via TechCrunch), the company said a change it had made in the code resulted in a security breach. In it, some sensitive data from a small subset of customers was shared with other customers.
The incident was spotted on May 26, and remediation efforts are currently underway, with the process set to finish by June 4.
Hundreds of victims
As a result of the incident, “a subset of data from fewer than 20% of our third-party integrations” was exposed to other Vanta customers, the company’s chief product officer Jeremy Epling said.
He added that fewer than 4% of Vanta customers have been affected, and they have already been notified.
Since the company has more than 10,000 customers, that would put the breach at up to 400. At the same time, the data breach notification letter Vanta sent out says that the data typically includes employee names, roles, and information about different tools, such as 2FA. The company did not confirm exactly what type of data was grabbed.
Vanta is a security and compliance automation platform that helps businesses achieve and maintain certifications like SOC 2, ISO 27001, HIPAA, and GDPR more efficiently through continuous monitoring and integrations.
Among its customers are Atlassian, Omni Hotels, Quora, and ZoomInfo.