Yes, it actually takes some effort to leave an S3 bucket unsecured too.
If the bit about "their Hong Kong IT provider" is true, then it's time to find a new provider. It should be trivial to provide basic security for a cloud-based backup system, including encrypting the data at rest. This is inexcusable.