The European Commission just had 350 gigabytes of data stolen from its Amazon Web Services account — and AWS says its own systems worked fine. The breach, confirmed by BleepingComputer on 27 March, saw threat actors access databases, internal documents, and reportedly even an email server. The kicker: AWS pointed the finger squarely at the Commission’s own account configuration.

For Australian wealth managers and financial advisers storing client data in the cloud, this is a useful reality check. The breach wasn’t caused by some exotic zero-day exploit. It came down to how the cloud account was set up — likely weak credentials, insufficient access controls, or misconfigured permissions. That’s exactly the kind of thing that trips up smaller firms who moved to cloud platforms without locking down the basics. Under APRA’s CPS 234 and the evolving Privacy Act requirements, financial services firms are expected to maintain robust information security controls regardless of whether data sits on-premises or in a third-party cloud.

The lesson is practical: review your cloud access controls. Enforce multi-factor authentication on every admin and user account. Audit who has access to what, and revoke permissions that aren’t needed. If you’re using AWS, Azure, or Microsoft 365, check that your security configurations actually match your firm’s risk profile rather than sitting on vendor defaults.

All IT Services supports financial services firms with cloud security reviews and access management aligned to APRA CPS 234 and Essential Eight frameworks.