Call me Mr Cynical
Having worked for many years in the retail sector, most of the senior managers believe that the majority of theft is actually carried out by staff. Not so much in terms of numbers of thefts but in amount of money / goods taken. It's been that way for a long time and based upon my own experience, it's probably valid.
Is that any different with online retailing? At first glance, the answer would be no; the cases highlighted tend to involve people working for criminal gangs in Eastern Europe, Africa or Asia. But they don't tend to say too much about where some of the information originally came from. Call me cynical, but in several cases it seems likely that at least some of the information came from an inside source that highlighted where vulnerabilites could be found.
The reality is that everyone has their price; many will argue otherwise, but they are fooling no-one but themselves. It starts with a company pen, photocopying minutes of the football club committe meeting, phonecalls to people for non company use. These are often viewed as just "perks", part of the job, no harm done to anyone. But soon they become seen as "rightful" use; and people can get upset if they are questioned over the amount that they take.
What started as a box of matches to light a cigarette, became a weeks groceries for some managers in supermarkets and resulted in a number of my then colleagues getting fired. Often, an argument is made "If they paid us better, we wouldn't have to do it"; sorry, complete BS. Many of the worst offenders were people on the highest wages.
When you consider how much the criminals make from their thefts, it wouldn't cost them a great deal to buy someone on the inside. For example £250k to a programmer for details on a few lines of code could net them tens of millions. And I think it pretty likely that they could find people to offer them the details for a lot less than that.