Compliance and cybersecurity firm Vanta has confirmed that a recent software bug inadvertently exposed sensitive customer information to other customers. The breach, not resulting from any external intrusion, occurred due to changes in the company’s product code.
Vanta, known for providing automated security and compliance systems primarily targeting corporate clients, discovered the exposure on May 26 and expects to fully resolve the issue by June 4. According to Chief Product Officer Jeremy Epling, the incident involved data from fewer than 20% of Vanta’s third-party integrations. Overall, less than 4% of the company’s users were affected. Given Vanta’s customer base of over 10,000 businesses, this indicates that several hundred customers potentially saw their data compromised.
Affected customers soon received notifications from Vanta about the incident, detailing the exposure of specific employee information erroneously shared across customer accounts. One customer confirmed receiving a notice from Vanta which revealed that data—such as employee names, roles, and security settings including multi-factor authentication—had mistakenly been shared with unintended recipients.
When asked, a Vanta representative declined to specify further details regarding the categories of data exposed or comment on potential compromise of Vanta’s own internal employee data.
Founded in 2018, Vanta has secured more than $350 million in funding to date, including a notable $150 million Series C investment round in July 2024.
