Every serious breach (bar the buggery) I've ever ever suffered has been clearly internal (OK, technically that applies to the buggery too).
But siriusly, I do suspect the larger part of all data breach is internal. And why not? Pay the poor sods fuck all, give them the potential to gather enough data to sell, and who can blame them for doing so?