Compliance company Vanta confirmed that the bug has made the personal data of some customers public to other Vanta customers. The company told TechCrunch that the data exposure was the result of a change in the product code and not a penetration.
Vanta, which will help corporate customers automate the security and compliance process, identified the issue on May 26th and said the repairs will be completed on June 4th.
The incident has resulted in “a subset of data from less than 20% of third-party integrations being exposed to other Vanta customers,” according to a statement arising from Vanta's chief product officer Jeremy Epling.
Epling said that less than 4% of Vanta's customers have been affected and all have been notified. According to its website, Vanta has over 10,000 customers. It suggests that data exposure is likely to affect hundreds of Vanta customers.
One customer affected by the incident told TechCrunch that Vanta had notified of data exposure. The customer said Vanta “employee account data was accidentally drawn into a Vanta instance and accidentally drawn into another customer's instance from a Vanta instance.”
The customer told TechCrunch that Vanta's notifications said this type of data would “generally include” information such as employee names, roles and information on the configuration of several tools, such as the use of multi-factor authentication.
When asked by TechCrunch, Vanta spokesman Erin Cheng would not have said any comments on what kind of customer data was involved during the incident or whether Vanta's employee data was made public.
Founded in 2018, Vanta has raised more than $350 million so far, including $150 million in its latest Series C funding round in July 2024.