Where SOC 2 Fell Short: Two Case Studies in Assurance Gaps and Operational Exposure

By Sanjay Chadha

Even organizations with SOC 2 certifications can suffer costly breaches. Explore two real-world case studies — Drizly and LastPass — to understand where SOC 2 assurance falls short and how boards can close the governance gap.

The False Comfort of a Clean SOC 2 Report

After two decades of reviewing and signing SOC 2 reports, I’ve seen both their value and their limits. A SOC 2 audit can demonstrate control maturity, helping organizations build trust with clients and partners. But it can also foster a false sense of security at the board level.

A clean SOC 2 opinion is often interpreted as full protection — when in reality, it reflects assurance only within the defined audit scope. Many organizations still experience breaches even after achieving SOC 2 compliance because the attestation becomes a box-checking exercise rather than a governance tool.

SOC 2 remains the most requested assurance report among technology vendors across North America. It evaluates controls related to security, availability, confidentiality, processing integrity, and privacy. But too often, boards treat SOC 2 as the finish line in security assurance rather than the baseline for continuous improvement.

At SAV Associates, we remind leadership teams: a clean opinion is not the same as a resilient operation. True assurance depends on the scope, frequency, and governance around those controls — not merely the auditor’s signature.

Case Study 1: Drizly (Uber) — Overlooking the Basics

In 2020, alcohol delivery platform Drizly, later acquired by Uber, suffered a breach that exposed data from 2.5 million customers. Attackers gained access through stolen developer credentials hosted on GitHub, compromising customer data stored in Drizly’s cloud environment.

The security failures were basic but critical:

• No multi-factor authentication

• Plaintext credentials stored in repositories

• Excessive developer access permissions

• No centralized monitoring for suspicious activity

The U.S. Federal Trade Commission found that Drizly had been aware of these weaknesses since 2018 but failed to act.

Although Uber maintained its own SOC 2 reports, those assurances did not extend to Drizly’s systems or developer environments. The breach exploited precisely what was out of audit scope. SAV Associates often sees this disconnect in boardrooms: the SOC 2 report only covers what auditors test. If subsidiaries, development systems, or backups are excluded, those areas often become the easiest attack paths.

Key Lesson: Boards must connect SOC 2 scope to real business risk. If the audit doesn’t cover the environment where code or data resides, the assurance is incomplete.

Case Study 2: LastPass — Out-of-Scope Weak Points

LastPass, a leading password management provider, held multiple certifications including SOC 2 Type II, SOC 3, and ISO 27001. Despite this, the company suffered a major breach in 2022 that compromised encrypted customer vault backups and unencrypted metadata.

Attackers exploited a compromised developer account, then pivoted to a third-party cloud storage service where customer backups were stored. Eventually, they installed a keylogger on a senior DevOps engineer’s home computer, capturing the master password to the corporate vault.

While multi-factor authentication was in place, it couldn’t prevent credential theft from a personal device. The likely SOC 2 scope covered production and corporate systems — not personal employee endpoints or all cloud backup environments.

Key Lesson: SOC 2 confirms that tested controls are working — but says nothing about what wasn’t tested. Out-of-scope vendors, devices, and backup systems often remain the most vulnerable.

Common Themes in Both Breaches

The Canadian Centre for Cyber Security has noted that SOC 2 examinations are limited in nature: they provide assurance over specific controls, not an enterprise-wide governance assessment.

Across both Drizly and LastPass, recurring weaknesses emerge:

1. Scope limitations — Subsidiaries, developer systems, and backup environments often excluded.

2. Point-in-time assurance — SOC 2 reflects performance during the audit period, not afterward.

3. Third-party and human factors — Vendors and personal devices often escape oversight.

4. Misinterpretation by leadership — Clean opinions treated as comprehensive protection.

At SAV Associates, we’ve seen these patterns repeatedly. Over-reliance on SOC reports creates blind spots. A clean report is one input in governance, not a conclusion. Boards must ask the harder question: “Where does our assurance stop?”

Recommendations for Boards and Executives

To prevent SOC 2 blind spots, leadership should take the following actions:

1. Align Scope with Real Risk

Ensure the SOC 2 audit includes critical systems — especially subsidiaries, development environments, and backup repositories. Review third-party SOC reports for vendors that handle sensitive data.

2. Read Beyond the Cover Letter

Executives should review the entire SOC 2 report, including control exceptions and excluded areas. The details matter far more than the summary opinion.

3. Implement Continuous Monitoring

SOC 2 provides a snapshot in time. Continuous monitoring tools help detect credential leaks, abnormal access, or control drift between audit cycles.

4. Extend Oversight to Third Parties and Individuals

Include vendor systems, contractors, and high-privilege personal devices in governance. If they connect to corporate assets, they must be part of assurance.

5. Treat SOC 2 as the Floor, Not the Ceiling

Complement SOC 2 with penetration testing, internal audits, and framework mapping (e.g., NIST CSF or ISO 27001). True resilience comes from ongoing validation, not annual attestations.

Beyond Compliance: From Certificates to Governance

SOC 2 remains an essential tool for demonstrating security maturity, but it was never designed to guarantee enterprise protection. Both Drizly and LastPass illustrate how risk persists beyond the boundaries of an audit.

SAV Associates helps boards and executives go beyond compliance — by:

• Aligning SOC 2 with enterprise risk management (ERM) frameworks

• Building continuous monitoring and vendor governance programs

• Integrating assurance findings into quarterly board risk reviews

True resilience means understanding where the certificate ends and where governance begins. SAV Associates helps organizations close that gap — before the next breach forces the lesson.

About SAV Associates

SAV Associates is a Canadian cybersecurity and assurance firm helping organizations strengthen governance, build compliance frameworks, and operationalize resilience.

Contact SAV Associates to evaluate your assurance coverage and identify hidden exposure across vendors, subsidiaries, and critical systems.