Here's a non-paywall version (for those wanting to see the full WaPo article)
The more basic explanation is that everyone's stuff is already in "the cloud". The article's use of the phrasing "on a digital cloud" sounds like a person who perhaps is trying to toss around techy lingo, but perhaps doesn't understand the concept. Something being "on the cloud" doesn't mean that's it's just sitting in a publicly accessible file that anyone can go and easily download.
(and if you do business with any fortune 500 company, chances are your data is at the mercy of some IT employees who are between 19-22...some of which may not even be US citizens)
The more detailed explanation:
The "Cloud" merely refers to redundant geo-diversified servers (hosted by providers like Microsoft Azure or AWS) rather than hosting things in an "on-prem" environment. If I were to spin up a new vanilla server instance on Azure... short of creating it with an extremely easy username and password to guess and intentionally trying to leak access to it, it's very well protected even with just picking mostly default settings. (It's already behind a firewall, encryption is standard, and network isolation and MFA is already baked in)
"Cloud" ≠ "wide open to the internet, just go to this URL and download a spreadsheet"
They note that there's no evidence of a breach (which isn't surprising, because if someone figured out a way to hack Azure or AWS at the platform level and access everyone else's instances, the whole world would be in a lot of trouble)
Per NPR:
The copy of the data appears to have been set up inside the SSA's existing cloud infrastructure, which operates on Amazon Web Services. In an email statement to NPR, the Social Security Administration said that its data remains secure. "The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet," the statement reads in part. "We are not aware of any compromise to this environment"
It seems like the main concern here is that procedural steps weren't followed.
For instance, at my company, we have to do some additional "hardening" and monitoring/auditing in order to remain PCI and HIPAA compliant. But those measures aren't out of concern that someone is going to breach Azure, they're actually safeguarding against insiders who may know a shared service account password. For example, if IT Employee "Joe Shmoe" leaves the company and decides to go work somewhere else, we need to make sure his access gets disabled, and rotate out the keys for any shared service accounts he would've had access to.
So, in this case, the primary issue is that they spun up a new VM instance without going through the proper procedures, which means that it wouldn't have been on radar for things like data retention policy enforcement, and access management changes when attrition occurs.
