The Limitations of SOC2 Audits in Preventing Cybersecurity Breaches: A Critical Analysis

john o'connellAdvisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.

Service Organization Control 2 (SOC2) audits have become the de facto standard for demonstrating security compliance in the technology industry. While these audits serve an important role in establishing baseline security controls and processes, their effectiveness in preventing actual cybersecurity breaches deserves critical examination.

This analysis explores why SOC2 certification, despite its widespread adoption and respected status, may provide a false sense of security and prove inadequate in protecting organizations against modern cyber threats.

Recent examples of SOC2 failures

We have several recent examples of firms that had valid SOC2 audit letters in place and still failed to protect client data. Examples include:

Okta Inc.: In October 2023, Okta, a leading identity and access management company, suffered a breach where hackers stole HTTP access tokens from its support platform. This incident impacted numerous clients, including Caesars Entertainment, MGM Resorts International, 1Password, and Cloudflare.

AT&T: In January 2023, AT&T experienced a data breach at a cloud vendor, affecting approximately 8.9 million wireless customers. The compromised data included information from 2015 to 2017 that should have been deleted, such as account details and rate plan information. In September 2024, AT&T agreed to pay $13 million to settle an FCC investigation into the breach.

Progress Software (MOVEit): In 2023, a vulnerability in Progress Software's MOVEit file transfer software was exploited, impacting over 2,500 organizations, including the BBC, British Airways, and the New York City Department of Education.