2025 Data Breaches Expose Critical Gaps in NIS2, DORA, and SOC 2 Compliance

Introduction: The 2025 Cybersecurity Landscape and Regulatory Implications

The year 2025 has witnessed significant cybersecurity incidents that underscore evolving threats and expose critical gaps in regulatory compliance frameworks. From the Ericsson US data breach affecting thousands through a third-party vendor compromise, to the ShinyHunters campaign targeting misconfigured Salesforce instances, and the KadNap malware creating a stealth proxy botnet from infected routers—these incidents collectively highlight vulnerabilities in third-party risk management, secure configuration practices, and IoT security. As regulations like the NIS2 Directive (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554) come into full effect, and SOC 2 attestations become increasingly demanded by enterprise customers, understanding how these breaches reveal compliance weaknesses is essential for organizations aiming to strengthen their cybersecurity posture and avoid regulatory penalties.

Detailed Breakdown of 2025 Cybersecurity Incidents

Ericsson US Data Breach: Third-Party Vendor Compromise

In April 2025, Ericsson US disclosed a data breach affecting 15,661 employees and customers after a third-party service provider was hacked between April 17-22. The breach, discovered on April 28, 2025, exposed highly sensitive personal information including names, addresses, Social Security Numbers, driver's license numbers, government-issued IDs, financial information, medical data, and dates of birth. Ericsson's response included filing breach notifications with multiple state attorneys general (including California, Texas, and Maine) and offering affected individuals free identity protection services through IDX with a $1 million fraud reimbursement policy. This incident underscores the critical importance of third-party vendor risk management and demonstrates compliance with state breach notification laws like the California CPRA (effective 1 January 2023) and Texas TDPSA (effective 1 July 2024).

Salesforce Customer Attacks: Misconfiguration Exploitation

Since mid-2025, the ShinyHunters cybercrime group has targeted hundreds of Salesforce customers by exploiting misconfigurations in customer-configured guest user settings within Experience Cloud. Importantly, Salesforce confirmed these attacks exploit customer misconfigurations, not vulnerabilities in its platform. The threat actors use a modified version of Mandiant's open-source Aura Inspector tool to identify and extract data from overly permissive API endpoints, combining social engineering, phishing, and abuse of third-party integrations. ShinyHunters has claimed responsibility, threatening to release stolen information unless extortion demands are met. This campaign highlights the risks associated with insecure default settings, inadequate access controls, and the complex web of third-party integrations that can undermine even robust platforms.

KadNap Malware Campaign: IoT Device Compromise

First detected in August 2025 by Black Lotus Labs at Lumen, the KadNap malware has infected over 14,000 devices—primarily Asus routers—to create a stealth proxy botnet. With more than 60% of victims located in the United States, the malware compromises edge devices to route malicious traffic anonymously, enabling further cyberattacks, data exfiltration, or evasion of security controls. This incident exemplifies the growing threat to network infrastructure and the critical importance of securing Internet of Things (IoT) and edge devices, which often represent weak links in organizational security chains.

Compliance Gaps Exposed: NIS2, DORA, and SOC 2 Analysis

NIS2 Directive Compliance Shortfalls

The NIS2 Directive (Directive (EU) 2022/2555), with a member state transposition deadline of 17 October 2024, applies to "essential" and "important" entities across 18 sectors including digital infrastructure and ICT service management. The 2025 breaches reveal several NIS2 compliance gaps:

• Supply Chain Security: The Ericsson breach demonstrates inadequate third-party risk management—a core NIS2 requirement. Organizations must implement measures to manage risks from direct suppliers and service providers.
• Incident Reporting: NIS2 mandates early warning within 24 hours and incident notification within 72 hours. While Ericsson discovered the breach on April 28, 2025, and completed investigation in February 2026, the timeline highlights challenges in rapid detection and reporting.
• Risk Management Measures: The Salesforce misconfigurations and KadNap router compromises indicate failures in basic security hygiene—specifically around secure configuration and network security—that NIS2 requires entities to address through comprehensive risk management.

Penalties for NIS2 non-compliance can reach up to EUR 10 million or 2% of global turnover for essential entities.

DORA Incident Response Requirements

DORA (Regulation (EU) 2022/2554) applies from 17 January 2025 to financial entities including banks, insurers, and payment institutions. While the discussed incidents didn't specifically target financial entities, they illustrate vulnerabilities relevant to DORA's requirements:

• ICT Risk Management Framework: The KadNap malware's ability to compromise routers and create proxy networks underscores the need for robust network security controls within DORA's mandated ICT risk management framework.
• Third-Party ICT Risk Management: Ericsson's third-party breach exemplifies the exact type of supply chain risk DORA requires financial entities to manage through comprehensive third-party risk assessment and monitoring.
• Digital Operational Resilience Testing: The sophistication of the ShinyHunters campaign—using modified open-source tools and social engineering—highlights the need for advanced testing, including threat-led penetration testing as required by DORA.

SOC 2 Trust Services Criteria Gaps

SOC 2, based on the AICPA's Trust Services Criteria (2017 revision), is not a certification but an attestation report increasingly required by enterprise customers. The 2025 incidents reveal gaps across multiple criteria:

• Security (CC Series): All three incidents demonstrate security control failures—from inadequate vendor security (Ericsson) to misconfigured access controls (Salesforce) and vulnerable IoT devices (KadNap).
• Availability (A1): While not directly causing downtime, the KadNap botnet's potential to route malicious traffic could impact service availability through distributed denial-of-service attacks.
• Confidentiality (C1): The exposure of sensitive personal data in the Ericsson breach and potential data exfiltration in the Salesforce and KadNap incidents represent clear confidentiality failures.
• Processing Integrity (PI1): The manipulation of systems through malware and unauthorized access compromises processing integrity.

Organizations pursuing SOC 2 Type II attestations (assessing control design and operating effectiveness over 6-12 months) must address these vulnerabilities to demonstrate effective security controls.

Step-by-Step Guide: Enhancing Incident Response and Preventive Measures

1. Strengthen Third-Party Risk Management

Given the Ericsson breach, organizations must:

1. Conduct comprehensive due diligence on all third-party vendors, especially those handling sensitive data.
2. Implement continuous monitoring of vendor security postures using tools like AIGovHub's compliance monitoring platform.
3. Include specific security requirements in vendor contracts with clear accountability and breach notification timelines.
4. Regularly audit vendor compliance with relevant standards (ISO/IEC 27001:2022, SOC 2).

2. Implement Robust Configuration Management

To prevent Salesforce-style misconfigurations:

1. Establish and enforce secure configuration baselines for all cloud services and applications.
2. Implement automated configuration monitoring and drift detection.
3. Conduct regular security assessments of cloud environments, focusing on access controls and API permissions.
4. Provide targeted training for personnel responsible for cloud configuration management.

3. Secure IoT and Network Infrastructure

Addressing KadNap-like threats requires:

1. Inventory all IoT and network devices with regular vulnerability assessments.
2. Implement network segmentation to isolate IoT devices from critical systems.
3. Ensure timely patching and firmware updates for all network infrastructure.
4. Monitor network traffic for anomalies indicating compromised devices.

4. Enhance Incident Response Capabilities

To meet NIS2 and DORA requirements:

1. Develop and regularly test incident response plans with specific procedures for different breach scenarios.
2. Implement monitoring tools that provide real-time alerts for potential incidents.
3. Establish clear communication protocols for internal stakeholders and regulatory bodies.
4. Conduct post-incident reviews to identify root causes and implement corrective actions.

5. Align with Multiple Compliance Frameworks

Organizations should:

1. Map security controls across NIST Cybersecurity Framework 2.0 (published 26 February 2024), ISO/IEC 27001:2022, NIS2, and DORA requirements to identify gaps.
2. Implement a unified risk management approach that addresses multiple regulatory obligations simultaneously.
3. Leverage tools like AIGovHub's compliance intelligence platform to track evolving requirements and automate compliance monitoring.
4. Consider SOC 2 attestation not as a checkbox exercise but as a framework for implementing effective security controls.

Key Takeaways for Cybersecurity and Compliance Leaders

• Third-party risk is systemic: The Ericsson breach demonstrates that vendor compromises can have cascading effects, requiring enhanced due diligence and continuous monitoring.
• Misconfigurations are a primary attack vector: The Salesforce incidents show that platform security means little without proper customer configuration—secure defaults and ongoing configuration management are essential.
• IoT security can no longer be an afterthought: The KadNap malware campaign highlights how vulnerable edge devices can undermine entire security postures.
• Compliance frameworks are converging: NIS2, DORA, SOC 2, and other standards share common requirements around risk management, incident response, and third-party security—organizations should adopt integrated approaches.
• Proactive monitoring is non-negotiable: Real-time compliance alerts and risk assessments, like those provided by AIGovHub, are essential for identifying and addressing vulnerabilities before they're exploited.

Strengthen Your Cybersecurity Compliance Posture

The 2025 breaches make clear that traditional security approaches are insufficient against evolving threats and regulatory requirements. Organizations must adopt integrated compliance strategies that address multiple frameworks simultaneously while implementing robust technical and procedural controls. AIGovHub's cybersecurity compliance monitoring tools provide real-time alerts for regulatory changes, vulnerability disclosures, and compliance gaps—helping organizations stay ahead of both threats and requirements.

Take the first step toward enhanced cybersecurity compliance: Request a free cybersecurity compliance audit from AIGovHub to identify gaps in your NIS2, DORA, and SOC 2 preparedness and receive actionable recommendations for improvement.

This content is for informational purposes only and does not constitute legal advice.