Vanta leaks customer data due to product code change
Take action: When building a multi-tenant system, you are always at risk that a bug will expose someone else's data. Plan a lot of testing around that.
Learn More
Compliance automation company Vanta confirmed a data exposure incident that resulted in private customer information being shared across different customer accounts. Vanta, helps corporate customers automate their security and compliance processes for standards like SOC 2, ISO 27001, HIPAA, and GDPR.
The incident was caused by a product code change that resulted in a breakdown of data isolation mechanisms within Vanta's multi-tenant platform architecture. According to Vanta's Chief Product Officer Jeremy Epling, the incident resulted in "a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers". The exposure was bidirectional, meaning customer data was both leaked out of their instances and foreign data was erroneously imported into their systems.
The exposed data includes:
- Employee names and organizational roles
- Account configuration details
- Multi-factor authentication usage information
- Security tool configuration details
- Information about third-party service integrations
The number of affected individuals is not disclosed. Vanta claims that fewer than 4% of their customers were affected by the incident and have all been notified. With Vanta claiming more than 10,000 customers according to its website, this suggests the data exposure likely affects hundreds of organizations.
The incident was discovered the issue on May 26, 2025, and remediation efforts are scheduled to complete by June 4, 2025.
