We’ve just had a leak of 900,000 national identifier numbers here in Denmark. That’s about 16% of the total population, so it’s pretty big. These numbers are unique identifiers for a person (similar to Social Security Numbers) and are a good starting point for identity theft.
Never ascribe to malice that which can adequately be explained by incompetence.
So how did these numbers leak? Through plain incompetence and lack of procedures. It seems that someone at “A global leader in providing technology enabled business solutions and services” was behind schedule, so they published an intermediate file that hadn’t been completely processed (the confidential personal identifiers had not been stripped out). And nobody cared to check the file before it was published.
Your problem might not be malicious insiders, but simply sloppy operators and poor procedures. Do you have manual, unverified workflows where one person can make your company the laughing-stock of a country?