Let’s say I own a company like Shopify. I have an agreement with my customers: I won’t use consumers’ personal details for anything other than processing orders. Sure, I have the technical authority to poke around in the database if I so desire. I could technically take all that data and sell it to the highest bidder. That doesn’t mean I’m legally or procedurally authorized to do so.
Employees have procedures they are expected to follow. Many employees have significant permissions to access data. It’s unreasonable to bar all employees from accessing sensitive data at a technical level; people need to be able to fix problems when things go wrong. If a group of developers conspire to push malicious or faulty changes to production, including the developers who are supposed to be reviewing code and preventing such things from happening, that doesn’t change the fact that they are not authorized to exfiltrate data.
You can go online and buy a set of keys used by first responders. For $25, you can get into just about any commercial building. Are you authorized to actually use those keys on someone else’s property? Not without a contract, but that doesn’t mean there’s a technical barrier in place.
Let’s talk about Shopify’s datacenters! They probably colocate or use a cloud service or whatever. Ultimately, data is stored in datacenters. Someone like Deviant Ollam will have no trouble waltzing right in the front door. He might already have the keys. Or maybe he colocates at the same datacenter, getting him a good chunk of the way there. Is he legally authorized to access customer data, despite having the tools at his disposal to access it with minimal difficulty and likely no digital hackery? No, he is not.
> It’s unreasonable to bar all employees from accessing sensitive data at a technical level
This is the heart of the confusion. Sensitive data must be locked down (e.g., encrypted) and access tightly controlled so only employees with a legitimate purpose have read access. Since this is a "technical" solution to the problem, I would label the original data breach a "technical" vulnerability.
On the hand, the "developers conspire to push malicious or faulty changes to production" scenario is not a technical vulnerability; it falls into the category of deceit/fraud à la social engineering. Of course there are technical means you could try to foil exfiltration, but generally this sort of attack is prevented by non-technical means e.g. code review.
