I can imagine this happening very easily. Let's say a contractor is helping add a module to some web application...
"It worked on test, but not in production. It's supposed to be live already, what's the holdup? Fine, I'm not supposed to do this but I'll give him access to the live-server, read only, of course, since you have security clearance anyway. Plus, the data is in the DB, not on the application server. Ok, so now you have the whole /deploy folder, find the issue..."
"What do you mean you lost you laptop on the metro this morning? Fuck! Ok, well you only had access to the /deploy folder, but now I'm required to audit your laptop's backup to see if you had anything important, what a pain in the ass. Wait, what's this? There are all these XML files with personnel data in them in /deploy/api/xml/!!!!! Those files are supposed to be processed and removed from the web server, not stored! Shit!"
"It worked on test, but not in production. It's supposed to be live already, what's the holdup? Fine, I'm not supposed to do this but I'll give him access to the live-server, read only, of course, since you have security clearance anyway. Plus, the data is in the DB, not on the application server. Ok, so now you have the whole /deploy folder, find the issue..."
"What do you mean you lost you laptop on the metro this morning? Fuck! Ok, well you only had access to the /deploy folder, but now I'm required to audit your laptop's backup to see if you had anything important, what a pain in the ass. Wait, what's this? There are all these XML files with personnel data in them in /deploy/api/xml/!!!!! Those files are supposed to be processed and removed from the web server, not stored! Shit!"