If the services can't be modified to load their config directly from env vars, write the config to an off-root scratch volume (e.g. mounted to /tmp/) and have them load from that. The root volume should be mounted read-only either way to prevent modification of your services should something get RCE.

"Breached data still breached" - The only new thing in this article is that someone was stupid enough to believe Experian when they said the data had been "recovered".

Reminds me of this: http://www.27bslash6.com/overdue.html

Try to pay for something with a spider drawing attached to an email, ask for the drawing back afterwards ;)