It’s going to happen. Someone, somewhere, is going to deliberately compromise security and abuse their position as an administrator. Hopefully it doesn’t happen at your company, but the longer you are in IT, the better chance you have of being around when a “security DR event” occurs.
This article talks about IT people going bad, and it happens more often than we hear about. Many companies don’t want to disclose these types of events, and it’s possible one happened in your organization already.
This is nothing new. In every industry in which I’ve worked there have been people that take advantage of loopholes in systems and processes to engage in criminal activity. I have had liquor stolen from bars and lumber from a warehouse. We can’t prevent all of these activities, and companies know this. Usually there is a line in your accounting system that marks these losses as some cost of doing business.
As with many external hacking issues, companies are likely to try and prevent anyone from finding out about these activities outside of the company. That’s not a great solution for anyone, since often these employees are let go and hired by the next company who has no idea what the person they just hired has done.
You shouldn’t participate in these activities, and you ought to turn in those that do. However I know many people find that harder to do when confronted by this situation. At the very least, if you turn a blind eye, don’t help prolong a bad IT person’s career in this business. Don’t give them any sort of recommendation, and don’t include them in your personal network in any way.