They could just hack their devices remotely, or physically break into his residence. I suspect a serial leaker will lack neither the discipline to not copy data onto personal devices, nor the opsec to withstand a motivated nation-state, since a lot of the work seems rushed, and is off playbook.
Perhaps giving an inexperienced script kiddie full access was part of a broader plan to allow someone else to covertly “steal” the data without directly implicating those in charge.
