To be fair (?!) ...
... there is a bigger issue in play here than routine Uber shysterism,
accessed user data stored on a third-party cloud-based service that we use
... and there it is. Admittedly, the Amazon S3 user interface can be viciously user-hostile in places, but the real issue is that they were offloading unencrypted, personally identifiable data into a "cloud" in the first place. In cases like Equifax the miscreants have to go to the trouble of spearfishing the target, but these passive (or more accurately, actively stupid) leaks almost invariably have a cloud (usually AWS) at the core.
GDPR should have been worded to explicitly outlaw the transmission and storage of unencrypted personal data outside of a company controlled network. S3 makes a perfectly good 21st-century tape cupboard for storing offsite encrypted backups, but for "live" data it is an accident waiting to happen (over and over again).