The saga surrounding compliance startup Delve continues to unfold with significant developments. Recently, TechCrunch revealed that Delve was the compliance firm responsible for the security assessments of Context AI, an AI training company that suffered a data breach affecting Vercel, a leading app and website hosting service. This incident ensued following Context AI’s app being connected to Vercel’s corporate account, allowing hackers to exploit this access.
Moreover, Lovable, a company that experienced its own security incident, has ceased its relationship with Delve. The startup has faced intense scrutiny since an anonymous whistleblower suggested it was manipulating customer data and collaborating with rubber-stamping auditors during its compliance processes. Delve has consistently denied these allegations.
Complicating matters, Delve came under fire when hackers inserted malware into the open source code of one of its customers, LiteLLM, leading the company to terminate its partnership with Delve and pursue re-certification. Additional accusations suggest that Delve misrepresented an open-source tool as its own work without appropriate licenses, which further tarnished its reputation and resulted in Y Combinator, from which Delve graduated, severing ties with the firm.
As the situation escalated over the weekend, Vercel disclosed that hackers breached its systems, accessing sensitive customer data. Following this breach, Gergely Orosz, an engineering newsletter author, confirmed via social media that Delve had handled Context AI’s security certification. Subsequently, Context AI acknowledged this relationship, stating it had transitioned away from Delve and engaged Vanta along with an independent audit firm to ensure their compliance program was reassessed.
The email correspondence from Context AI affirmed their previous partnership with Delve, but they have now switched to other audit providers, citing the need for new examinations to restore their credibility.
The recent events highlight that security certifications alone are insufficient to prevent breaches; they are designed to ensure companies have robust policies in place to mitigate risks. For example, Lovable parted ways with Delve after the whistleblower’s claims became public and has since successfully completed one new security certification while initiating a review of others.
However, Lovable also acknowledged that it unintentionally exposed customer chat data, later expressing regret for previously denying any breach had occurred, attributing the issue to a configuration error rather than a cyberattack.
Adding to Delve’s troubles, the whistleblower, known as DeepDelver, recently alleged that the company had been refusing refund requests while simultaneously sending its team on a trip to Hawaii. Although DeepDelver provided evidence substantiating the Hawaii trip, TechCrunch has yet to independently verify all claims. Delve has not responded to inquiries from the media regarding these ongoing issues, with attempts to reach their media relations failing.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
