If you've somehow left access to a bucket open the odds are that you also have it configured to let anyone with access to the bucket decrypt the files. AWS calls this server side encryption, where S3 automatically encrypts and decrypts files for you. You can also do client side encryption, of course, but it's much more difficult to manage because you have to deal with keys in your application.
Well,SSE-KMS is not difficult to manage if you have sensitive customers data like Capital One does. I use it all the time. You can pretty much audit the buckets and see what is going on.
And if Capital One has used SSE-KMS on the buckets,we might not be talking about this data breach today.Incompetence? Complacency?