I’m sorry, I assumed he was a sysadmin or equivalent. I got confused about this at some point.
A contractor is like an ordinary user. It’s possible to secure a network against malicious users, although very difficult. However, it requires that all the insiders be united in a thoroughly enforced preference of security over convenience. In practice, convenience often wins, bringing in insecurity.
What do you think are the odds that his job required accessing these lists and copying them?
Well, his own words that you quote (“that is why I accepted that position”) imply that this access was required to do the job, since he knew he would have access before accepting the job. The question then becomes, could he have been stopped from copying files outside the system? Was copying (some) files outside the system part of his job? Etc. (He could certainly have just memorized all the relevant data and written it down at home, but then he would not have had documentary proof, flimsy and trivially fakeable though it is.)
It’s possible to defend against this, but hard—sometimes extremely hard. It’s hard to say more without knowing what his actual day-to-day job as a contractor was. However, the biggest enemy of security of this kind is generally convenience (the eternal trade-off to security), followed by competence, and then followed distantly by money.
I’m sorry, I assumed he was a sysadmin or equivalent. I got confused about this at some point.
A contractor is like an ordinary user. It’s possible to secure a network against malicious users, although very difficult. However, it requires that all the insiders be united in a thoroughly enforced preference of security over convenience. In practice, convenience often wins, bringing in insecurity.
Well, his own words that you quote (“that is why I accepted that position”) imply that this access was required to do the job, since he knew he would have access before accepting the job. The question then becomes, could he have been stopped from copying files outside the system? Was copying (some) files outside the system part of his job? Etc. (He could certainly have just memorized all the relevant data and written it down at home, but then he would not have had documentary proof, flimsy and trivially fakeable though it is.)
It’s possible to defend against this, but hard—sometimes extremely hard. It’s hard to say more without knowing what his actual day-to-day job as a contractor was. However, the biggest enemy of security of this kind is generally convenience (the eternal trade-off to security), followed by competence, and then followed distantly by money.