In March 2026, a software tool used by millions of businesses around the world was breached.
The tool had every security certificate a buyer could ask for. SOC 2 Type 1. ISO 27001. The kind of badges that procurement teams look for before signing a contract. The kind of badges that make you feel safe when you see them on a supplier's website.
None of them made a difference.
The breach was not caught by a security control. It was not flagged by a monitoring system. It was not picked up by an audit. The attackers were only discovered because they made a mistake in their own code. A bug in their malware crashed a researcher's computer. Without that error, stolen credentials could have been silently harvested for days or weeks.
If a company with that many certificates on the wall can be breached this easily, what does that tell you about the certificates you are relying on? Whether they belong to your suppliers, or whether they are hanging on your own wall?
- A widely used software tool with SOC 2 and ISO 27001 certifications was breached in March 2026
- The breach was only discovered by accident, not by any security control or audit
- Certificates on a supplier's website do not guarantee that your data is safe
What Actually Happened?
The story is worth understanding, even if you are not technical. Because the failure was not sophisticated. It was basic.
Think of it this way. Imagine a company that makes locks for office buildings. Before shipping each lock, they run it through a testing machine to make sure it works. That testing machine is made by a different company. One day, an attacker breaks into the testing machine company and tampers with the equipment. Now every lock that passes through the machine gets a hidden flaw built into it. The locks still look perfect. They still pass every inspection. But the attacker has a way in.
That is essentially what happened.
The attackers first compromised a widely used security scanning tool. A tool that was supposed to check for vulnerabilities. They used that access to steal the publishing credentials for the software tool itself. Then they pushed out a poisoned update, using the real company's name, through the real distribution channel. To anyone downloading it, everything looked legitimate. There was no warning sign. No red flag. Just a routine software update that happened to contain malware designed to steal passwords, access keys, and sensitive credentials. This is exactly the kind of supply chain attack that modern businesses need to defend against.
The poisoned update was live for approximately three hours before it was discovered. The tool averages roughly 3.4 million downloads per day.
- Attackers compromised a security scanning tool first, then used it to poison the main software
- The poisoned update was distributed through the real, official channel and looked completely legitimate
- It was live for three hours with roughly 3.4 million downloads per day passing through
If They Had Every Certificate, Why Did None of Them Help?
This is where the story goes from concerning to infuriating.
SOC 2 and ISO 27001 are the two most common security certifications in the business world. If you have ever filled out a supplier questionnaire, or been asked to prove your business takes security seriously, you will have seen these names. In simple terms, they are supposed to confirm that a company has real, tested security controls in place. Not just policies written in a document somewhere, but actual practices that have been independently checked by an auditor. These are the same frameworks we help businesses work through in our compliance and certifications service.
The company behind the breached tool obtained its SOC 2 and ISO 27001 certifications through a compliance platform called Delve. Delve is a venture-backed startup that raised $32 million in 2025 and markets itself as an "AI-native" compliance solution.
Here is what emerged after the breach.
An independent investigation analysed 494 SOC 2 reports linked to Delve. It found that 99.8% contained identical text in the section that is supposed to describe each company's unique security programme. The same words. The same sentences. The same grammatical errors. Across hundreds of different businesses, in hundreds of supposedly independent audit reports.
The section that is meant to describe how your specific business protects its data was, in many cases, a copy and paste job.
The auditor conclusions were allegedly written before the evidence was even reviewed. The reports were not a reflection of what was happening inside these businesses. They were paperwork. Produced at speed, at scale, and at volume.
- The company got certified through a platform that produced near-identical reports for 99.8% of its clients
- The section meant to describe each company's unique security programme was copy-pasted across hundreds of reports
- Auditor conclusions were allegedly written before the evidence was reviewed
Can AI Actually Replace a Proper Security Audit?
Delve's main selling point was that it was "AI-native." That phrase was central to its pitch to investors and to the startups buying its service. The promise was simple and appealing: use artificial intelligence to automate compliance, get certified faster, spend less, and move on to growing your business.
That promise should set off alarm bells for every small business owner reading this. We have written before about how to use AI safely in your business, and this is a case study in what happens when the tool itself is not trustworthy.
Here is what "AI-native compliance" actually means in practice. It means automation that generates reports faster. It means software that matches evidence to control requirements faster. It means a platform that can process more clients, at higher volume, with fewer human beings involved.
Notice what is missing from that list. At no point does anyone walk into your office. At no point does anyone look at how your business actually operates. At no point does a qualified human being ask why three members of staff share the same login, or why your client data sits in a folder that a former employee can still access, or why your supplier's "secure portal" is actually a shared Dropbox link with no password. These are the kinds of gaps a proper penetration test or hands-on security review will find.
AI can check whether a box is ticked. It cannot check whether the box should have been ticked in the first place.
The entire value proposition of AI-native compliance is speed and scale. But speed and scale are precisely the opposite of what a proper security audit requires. A proper audit is slow on purpose. It is thorough on purpose. It asks awkward questions on purpose. The moment you optimise that process for efficiency, you are optimising away the part that actually protects you.
This is not an argument against AI in general. AI has legitimate uses across dozens of business functions. But when it comes to verifying whether your business is genuinely secure, a platform that has never seen your office, never spoken to your team, and never looked at your actual systems is not an auditor. It is a report generator.
And a report is not security.
- AI-native compliance optimises for speed and scale, which is the opposite of what a proper audit requires
- No platform can replace someone walking into your office and asking awkward questions
- AI can check whether a box is ticked but cannot check whether the box should have been ticked in the first place
What Does This Mean for Your Business?
If you are a small or medium-sized business, this story matters to you in two very direct ways.
First, if you rely on supplier certificates as proof of security. Many businesses choose suppliers partly based on the security badges on their website. That is not unreasonable. But this case shows that a badge, on its own, tells you very little. The breached company had better certificates than most of your suppliers will ever have. It did not matter. If you are not asking deeper questions about how a supplier actually handles your data, you are trusting a logo instead of a process.
Second, if you are being asked to get certified yourself. More and more small businesses are receiving security questionnaires from larger clients. Cyber Essentials, SOC 2, ISO 27001. These are becoming table stakes for winning and keeping contracts. The temptation is to find the fastest, cheapest route to the badge. And there is no shortage of platforms promising exactly that.
But the LiteLLM case shows what happens when businesses take the fast route. They end up with a certificate that looks like every other certificate, backed by a report that reads like every other report, describing controls that may or may not exist in their actual environment. And when something goes wrong, that certificate does not protect them. It exposes them. Because now they have a document on file that says they had controls in place, when they did not.
The compliance is not just unhelpful at that point. It is a liability.
- If you rely on supplier badges as proof of security, you are trusting a logo instead of a process
- If you take the fastest route to certification, you may end up with a document that exposes you rather than protects you
- A certificate that says you had controls in place when you did not is a liability, not an asset
Why Small Businesses Need a Human in the Loop, Not Another Platform
The gap between compliance and actual security is not a technology problem. It is a knowledge problem.
A platform can generate a report. It cannot understand that your business has three offices sharing a single admin account because nobody ever set up individual logins. It cannot spot that your IT provider set up multi-factor authentication on your email but not on the system that holds your client data. It cannot notice that you are paying for 40 software licences when only 22 people work at the company.
These are the things that separate a business that is genuinely secure from one that merely has the paperwork to say it is. And they are things that only a human being, someone who understands both the compliance framework and the reality of how a small business actually operates, can catch.
Small and medium-sized businesses do not need another dashboard. They do not need another automated platform promising to handle their compliance in a few clicks. They need someone who will sit down, look at how the business actually works, and close the gap between what the report says and what is really happening. That is what IT consulting should actually look like.
That is not a product. It is a service. And it is the difference between a certificate that protects your business and one that merely decorates your website.
- Platforms cannot spot that three offices share one admin account or that a former employee still has access
- Only a human who understands both the framework and how your business actually operates can close the gap
- What you need is a service, not another dashboard
Is Compliance Worth It at All?
Yes. But only if it is done properly.
Compliance frameworks like Cyber Essentials, SOC 2, and ISO 27001 exist for a good reason. They force businesses to document how they handle security. They require evidence. They create accountability. Done well, the process of getting certified genuinely improves how a business protects itself and its clients.
The problem is not the frameworks. The problem is an industry that has made it too easy to get the badge without doing the work. If you are considering Cyber Essentials, our plain-English guide to Cyber Essentials certification explains what the process should actually involve.
When a compliance platform can produce hundreds of near-identical reports, something has gone fundamentally wrong. Not with the concept of compliance, but with the way it is being delivered.
Here is a thought worth sitting with: a business that is genuinely secure but has no certificate is in a better position than a business that is certified but exposed. The first business might struggle to prove its credentials on a questionnaire. But it will not be the one explaining to its clients why their data was compromised despite the badge on the wall.
The certificate should be the proof of the work. Not a substitute for it.
- Compliance frameworks are valuable, but only if the work behind them is real
- A genuinely secure business without a certificate is better off than a certified business that is exposed
- The certificate should be proof of the work, not a substitute for it
At Blue Icon IT, we help small and medium-sized businesses close the gap between compliance and real security. Not with a platform. With people who understand your business, your risks, and what it actually takes to protect your clients and your reputation. If you are preparing for Cyber Essentials, SOC 2, ISO 27001, or facing your first security questionnaire from a bigger client, get in touch.
