> We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment.

In other words, someone didn't put a password on their S3 database exposed to the internet...

> No bank account numbers or Social Security numbers were compromised, other than: About 140,000 Social Security numbers of our credit card customers About 80,000 linked bank account numbers of our secured credit card customers

This kind of double speak should double their fine.