Sumsub, European KYC third party company, suffers a data leak.

To cybersecurity experts: Is there any way the set up of databases can be set up such that a leak cannot happen? Doesn’t it all depend on the cloud architecture, E2EE, mandatory 2FAs, etc.? Is this really that hard to ensure?