Some of the biggest gaps are within backup files or test databases containing production data. Log, configuration, control, and script files could also be potential sources of sensitive information. The Verizon Business 2011 Payment Card Industry Compliance Report: Losing track of regulated data is one of the No. 1 reasons for unnecessarily increasing the scope of a PCI audit. The Yahoo Voices and LinkedIn data breaches show what was taken in both incidents was likely old data stolen from somewhere other than these organizations’ main production systems.”]
Source: https://www.darkreading.com/database-security/mastering-your-data-flow-mojo