A customer noticed that when they accessed information on a vendor website that there was other customers listed and they could read their information because of a error by the vendor when an enhancement was made. The vendor verified and traced what accounts were opened & viewed and we will notify them of the risk. My question is if the customer was listed and no one opened the account information should we notify them that they could of been at risk?