Vanta Incident 2025: Cross-Customer Data Exposure Due to Code Change

Vanta, a leading provider of compliance automation services, disclosed a security incident involving unintended data exposure among its customer base. The incident was traced to a product code change and was not attributed to malicious activity or external compromise. The issue was identified on May 26, 2025, and full remediation was completed by June 4, 2025.

Severity Level: High

Incident Overview

1. Root Cause:

• Triggered by an internal product code change, not a cyberattack or intrusion.
• The flaw caused unintended cross-account visibility within the Vanta platform.
• No exploitation or unauthorized access by external threat actors was detected.

2. Scope of Exposure:

• Vanta supports over 10,000 customers, mainly in regulated industries requiring stringent compliance protocols.
• The data leak incident impacted ~4% of Vanta’s customer base, translating to several hundred organizations.

3. Nature of Data Exposed:

• Employee names
• Employee roles
• Tool configuration data, including indicators of multi-factor authentication (MFA) setup
• No confirmation on whether sensitive identifiers (e.g., passwords, tokens, or credentials) were included.
• Vanta has not disclosed if Vanta employee data was part of the exposure.

4. Exposure Vector:

• Affected approximately 20% of third-party integrations used by Vanta customers.
• Data from those integrations became visible to other customers’ instances under certain conditions.
• Example provided: Employee account data from one customer instance was pulled into another customer’s environment.

5. Detection & Response:

• The issue was first identified on May 26, 2025, through internal monitoring or customer feedback (exact method not disclosed).
• Vanta initiated a remediation process immediately and completed it by June 4, 2025.
• All affected customers were individually notified, according to Vanta.

6. Company Statement:

• Public response was issued by Jeremy Epling, Vanta’s Chief Product Officer.
• Statement acknowledged the exposure, emphasized remediation, and reassured no external compromise.
• A Vanta spokesperson declined to specify the types of customers or data categories involved
• No public disclosure of customer identities or a breach notification on regulatory portals (as of now).

Lessons Learned

• Even seemingly internal or minor code changes can lead to systemic security exposures if not subjected to rigorous testing.
• Logical separation between customer environments failed, leading to data cross-contamination.
• The issue was identified internally or reported by customers, indicating a gap in proactive anomaly detection.

Recommendations:

1. Enforce strict data segregation checks in all code changes before production deployment.
2. Implement continuous monitoring for cross-tenant data access anomalies.
3. Conduct regular security audits of third-party integrations and connectors.
4. Apply role-based access controls and validate permissions across customer environments.
5. Notify affected users promptly and provide impact analysis with actionable next steps.
6. Incorporate tenant isolation tests into your CI/CD pipelines and QA processes.
7. Maintain least privilege access for third-party connectors, implement per-integration security reviews, and isolate third-party data handling from core user data paths.
8. Develop a well-rehearsed incident response plan with clear customer notification processes, data classification impact analysis, and regulatory compliance workflows.

Source:

• https://techcrunch.com/2025/06/02/vanta-bug-exposed-customers-data-to-other-customers/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.