Data theft in wireless sensor networks could prove disastrous and most of the time gets undetected due to no apparent abnormal behavior of malicious nodes. To counter such attacks, we propose an anomaly based distributed data-theft detection protocol. Our approach works at the MAC layer by effectively measuring the MAC control packets. In this paper, we present a novel detection metric, a centralized and a gossip-based distributed protocol whereby a network can self-heal itself of such malicious nodes. Our performance evaluation defines how we measure the rate of detection and false positives rate and shows that our approach to detect malicious nodes is reliable, inexpensive and accurate.