The data was stored in a publicly accessible MongoDB database, that required no password or authentication to be accessed. The database was hosted on an Amazon cloud server, outside of Mexico (in the US).
It’s not about where the data was hosted, but how secure it was. Having a MongoDB without password is definitely a bad thing and funny enough more common that it should, hosting data outside your country where your law doesn’t allow it is also bad and finally, not having that information encrypted is even worse. Implicit saying that it was AWS fault or that they should do something about it is like blaming Tesco for your flavourless banana.