"Parts of Mandrill's infrastructure are hosted with Amazon Web Services (AWS), and we use EC2 Security Groups to control access."
then "As a result, a cluster of servers hosting Mandrill's internal application logs was made publicly accessible instead of allowing internal-only access."
Does this mean that security groups (ie. firewalls) are the only line of defense between _the internet_ and customer data?
Leaving aside the time from incident to post, this is an excellent example of incident disclosure. Technical detail, complete list of mitigation actions, specific info on what may have been compromised, and what they're doing to ensure it doesn't happen again. They don't need to use the old "we take your privacy seriously" cliché; their disclosure and actions prove it.
Does this mean that security groups (ie. firewalls) are the only line of defense between _the internet_ and customer data?