But logging into the DB-server via ssh as root and copying /var/lib/mysql/? That sounds like an unnecessary amount of work for an attacker (but is easy to do for an insider).

Not really, you only need a priviledge escalation exploit. Most companies aren't very dilligent in updating their servers and it's not that hard to enter via a known exploit.