The engineer that stole the data should have needed to collaborate with at least one peer to exfiltrate it. There should be no way for any individual to take this data and clear himself from the audit logs. Segregation of duties in this instance should have made it possible to detect the event quicker and attribute it to this particular employee.