Source: hackread.com – Author: Deeba Ahmed.
Compliance automation provider Vanta confirms a software bug exposed private customer data to other users, impacting hundreds of clients. Learn about the details of this critical security incident.
Vanta, a company known for helping businesses manage their security and compliance, has admitted to a major cybersecurity-related issue. A software error caused the company’s private customer information to be shared with other Vanta clients.
This incident, caused by a recent change in the company’s product code, has affected hundreds of organizations, raising questions about data safety in specialized compliance platforms.
What Happened and Who Was Affected?
The issue was first found by Vanta’s own team on May 26. The problem allowed details like sensitive employee data, how accounts were set up, details about two-factor authentication (MFA) use, and information on tool settings to be “erroneously pulled into” other Vanta customer accounts. While Vanta stated that “fewer than 4% of customers” were impacted, this still means hundreds of businesses had their data compromised.
According to the company, the exposure affected “fewer than 20%” of its connections with other third-party services. It is important to note that Vanta has confirmed that this was a “Code Bug” caused by a “Product change,” not an attack from outside.
Jeremy Epling, Vanta’s Chief Product Officer, confirmed the breach, saying that “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers. Fewer than 4% of Vanta customers were affected, and have all been notified.”
Vanta has started informing affected customers that their employee account data was incorrectly inserted into their Vanta instance and out of it into other customers’ instances.
“On May 26, we identified a product code change that resulted in a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers. The incident was not security-related and did not involve API keys, credentials, or an intrusion. In total, fewer than 4% of Vanta customers were impacted. Upon identification of this issue, the change was rolled back and remediation started immediately. We will complete remediation by June 4. All impacted customers were notified and Vanta’s customer support teams are addressing customer questions and requests. We are standing by to provide further support for customers. To prevent an incident like this in the future, we are updating our third-party integrations API and improving our access control testing.”
Jeremy Epling, Chief Product Officer
Addressing the Vulnerability
Vanta is actively working to fix the problem and to complete the process by June 4. However, this data leak goes on to show the dangers of using central systems for managing sensitive company information, especially when internal changes can lead to such wide-ranging data mixing. For a company whose main job is to help others with security, this event is a prime example that even expert systems can have weaknesses.
Original Post url: https://hackread.com/code-bug-compliance-vanta-data-leak-customer-clients/
Category & Tags: Security,Leaks,Privacy,Compliance,Cybersecurity,data breach,Vanta – Security,Leaks,Privacy,Compliance,Cybersecurity,data breach,Vanta
Views: 4
