In more than two decades of reviewing and signing SOC 2 reports, I have seen both the value they bring and the blind spots they can create. A SOC 2 report can demonstrate control maturity that reassures customers and partners. It can also mislead executives and boards into thinking a clean audit opinion means their organization is fully protected. Even with SOC 2 attestations in place, organizations can still suffer breaches that expose data, damage trust, and undermine compliance programs. SAV Associates has seen this misunderstanding often, where the report becomes a box-checking exercise instead of a governance tool.
SOC 2 remains the most requested assurance report for technology vendors in North America. It assesses whether controls related to security, availability, confidentiality, processing integrity, or privacy are in place and operating. Too often, boards treat SOC 2 as the finish line in security assurance rather than a baseline. SAV Associates advises that boards should never equate a clean opinion with complete protection, because real resilience depends on scope, monitoring, and governance oversight.
Drizly (Uber): Overlooking the Basics
Drizly, acquired by Uber in 2021, suffered a breach in 2020 that compromised 2.5 million customer records. Attackers exploited stolen developer credentials from GitHub, gaining direct access to customer data stored in Drizly’s cloud.
The lapses were fundamental. No multi-factor authentication, plaintext credentials in repositories, and excessive developer access. The company lacked a dedicated security leader and had no monitoring for suspicious activity. The U.S. Federal Trade Commission found Drizly had been aware of similar weaknesses since 2018 but failed to fix them.
Uber maintained its own SOC 2 reports, but those assurances did not extend to Drizly’s practices. The audit scope excluded the subsidiary’s systems and development environment. SAV Associates regularly encounters this mistake in boardrooms. The SOC 2 report only covers what is inside the audit scope. If a subsidiary or development environment is excluded, that is often where attackers strike. Boards must connect the assurance scope to real business risk.
LastPass: Out-of-Scope Weak Points
LastPass, a leading password manager, listed multiple certifications, including SOC 2 Type II, SOC 3, and ISO 27001. In 2022, the company disclosed a breach that compromised customer vault backups and unencrypted metadata.
Attackers first gained access through a compromised developer account, then pivoted to a third-party cloud storage service where customer backups were kept. Finally, they installed a keylogger on a senior DevOps engineer’s home computer, capturing the master password for the corporate vault that held decryption keys. Multi-factor authentication was in place, but could not stop direct credential theft.
The likely SOC 2 scope covered production systems and corporate IT controls, but not personal employee devices or all cloud backup environments. These out-of-scope areas are often where attackers succeed. SOC 2 can confirm that controls are operating, but it cannot promise that everything important is covered. Out-of-scope systems, vendors, and individuals often remain the biggest exposures.
Common Themes in Both Breaches
Drizly and LastPass show that SOC 2 is a minimum level of assurance, not a guarantee of security. The Canadian Centre for Cyber Security notes that SOC examinations are limited auditor opinions and do not provide a complete assessment of governance.
The recurring weaknesses are clear:
- Scope limitations where subsidiaries, development systems, or backups are excluded from review.
- Reports that only provide assurance at a point in time, not after the audit ends.
- Third-party and human factor risks, such as vendor systems or employee personal devices.
- Misinterpretation by leadership where a clean SOC 2 opinion is viewed as full protection.
SAV Associates has seen these issues across industries, where over-reliance on SOC reports leads to blind spots. A clean SOC 2 opinion is only one input. Boards should be asking where the assurance stops and what residual risks remain once the report ends.
Recommendations for Boards and Executives
- Align SOC 2 scope with real business risk. Ensure that audits cover critical systems, including subsidiaries, development environments, and backups. If using service providers, review their SOC reports.
- Read the full SOC 2 report. Do not rely on the cover letter alone. Review findings, exceptions, and what was excluded.
- Implement continuous monitoring. Use automated tools to detect credential leaks, monitor unusual access, and validate controls between audit periods.
- Extend oversight to third parties and individuals. Vendor systems and high-privilege personal devices must be part of assurance if they connect to sensitive data.
- Treat SOC 2 as the floor, not the ceiling. Complement it with penetration testing and ongoing internal reviews.
SOC 2 is a valuable tool, but only if you interpret it as the beginning of governance, not the end. Boards that complement SOC 2 with ongoing monitoring and vendor oversight create true resilience.
Conclusion
SOC 2 remains useful, but it is only one piece of the security picture. Breaches at Drizly and LastPass show how risk persists when subsidiaries, backups, or individuals fall outside the scope. SAV Associates helps organizations go beyond audit reports by aligning SOC 2 with enterprise risk, building monitoring frameworks, and closing gaps in vendor and subsidiary environments.
In modern governance, that context is the difference between a certificate on the wall and actual resilience. SAV Associates provides the tools to help boards make that shift before the next breach forces the lesson.
