I worked there. I was an engineer and definitely needed access to these data. Fraud and abuse is constantly evolving and touches every part of the business. Everything was audited and I never saw or heard of a single abuse of access. Privacy was talked about seriously at onboarding and other trainings. I have no doubt if somebody was caught abusing this they’d be fired.
Why do you need access as an engineer? Databases for testing should have all sensitive information removed (you can still debug errors). I cannot think of many cases where an engineer will need to have read access to the production database.
It's really difficult to audit all this stuff. I was at a health insurance company where someone used su to go to a different user on a box they had root on and it did get picked up by the security team, but only a few weeks after it happened.
I was offered a security job at one shop and turned it down, keeping my development role. They had 3 security people for the company (total IT size was 500) and it involved a ton of log parsing, DDoS work, and they were starting to develop an internal white listing application tool. They wanted to bring me on because the desperately needed a developer to add some automation parsing the important from the chaff. (A younger me would have probably done this back when I wanted to be a Pen-tester. I only got interviewed/offered the position because I made the mistake about talking about going to Defcon on a company Slack channel and the security guy insisted I interview).
