What are the repercussions if a data breach happens while trying to achieve SOC2

SOC 2’s purpose is not to discover data breaches. It is to ensure there are processes around security.
If there was a data breach, the way this will come in the SOC 2 is that the company would have identified this through their Incident response process. Therefore, the auditor will test the way in which the company responded to the breach and resolved it.
SOC 2 auditors will only test what’s made available to them, so if the company does not disclose the event of a data breach, the auditor will not have a way of finding that out. That’s why in the SOC 2 report, the auditor opinion (section 2 of the report) clearly states that the opinion of the report is based solely on the information provided by management.
As part of the SOC 2 report, the auditor also obtains a “Management Representation Letter ” that is signed by management (company),to basically say, we have truthfully represented all the information provided to the auditor.
So, if the customer hides a data breach from the auditor, it’s not the responsibility of the auditor to discover it in their SOC 2. The auditor is responsible for finding flaws in the established process. As far as SOC 2 is concerned, there is no fine there. Except that the auditor will issue another report with “a qualified” opinion (i.e fail) that says that management did not disclose all the facts, therefore the SOC 2 report can not be relied upon.
This is basically a bad SOC 2 report to have, but no fine. In general for data breaches, it is supposed to be reported to the applicable authorities. If a company fails to do so, then there is a fines and penalty to pay. HIPAA and GDPR deal with data breaches instead of SOC 2.
HIPAA has fines for failure to report data breaches.
GDPR fines >> can be 2% of the annual revenue–