Comment by Aperocky

I think your understanding is true, unless the claimant elaborate what those data is and how his team got it, I do not understand how it would have worked.

Access records for public services have a very detailed iam audit trail that logs people who accessed what at what time, and service teams don't get to just jump around that. Maybe they can see some metadata but certainly not actual data in an S3 bucket somewhere.