I propose this scenario :
An internal IT jockey has a project and needs to test some functionaity. He goes to his boss and gets approval for a bucket. He loads demo data on it, nothing important or critical, no customer data. Security is not important, testing functionality is, so he keeps his life simple and doesn't lock anything down.
He does his tests, bugs out and leaves the bucket for another round of testing later on.
Meanwhile, pentesters happen upon the bucket, alert the meadia, articles screaming bloody murder are written, and the IT guy quietly activates security on the bucket thinking "bloody hell, what a lot of hot air for nothing".