Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion.
Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4.
The incident resulted in “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,” according to the statement attributed to Vanta’s chief product officer Jeremy Epling.
Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers.
One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that “employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers’ instances.”
The customer told TechCrunch that Vanta’s notice said this type of data “generally includes” information like employee names, roles, and information about configurations of some tools, such as the use of multi-factor authentication.
When asked by TechCrunch, Vanta spokesperson Erin Cheng would not say what types of customers’ data were involved during the incident or comment on whether Vanta employee data was exposed.
Founded in 2018, Vanta has raised more than $350 million to date, including $150 million in its most recent Series C funding round in July 2024.
