Why dismissed employees take revenge and what prevention measures to implement

17.12.2021

Back to blog list

By Alexey Drozd, head of the information security department, SearchInform.

The amount of news telling about employees taking revenge on their former employers seems to increase: "Sysadmin took revenge by destroying data and changing passwords", "Employee hacked the flight control system and allowed broken airplanes into the sky to take revenge on her former employer”. 

But how can an employee take revenge? 

Employees usually take revenge for ordinary things that they consider unfair: fines, payment disagreement, refusal to promotion, or dismissal. More than that, they can do it not just for themselves! "Vendetta" is also declared for unfair (in their opinion) treatment of their friends or relatives. 

For example, Florida case: a woman resigned from Melbourne Flight Training school after the CEO fired her father. Along with her dismissal, she deleted certain data in the Flight Circle app featuring technical characteristics of airplanes and malfunctions list which was used to control and track the aircraft. 

In our practice, there are also a bunch of gripping stories of employee revenge. Most often they try to harm companies by targeting:

  • tangible assets (theft of equipment, damage to property);
  • confidential information (data drain, deleting, blackmail);
  • the reputation of the company (posting information discrediting business reputation, court claims). 

Theft or damage of tangible assets

This problem is as old as time. I'm sure every business has a story about how a fired employee took something from work. It is good if it was a mug from the table. Often it turns out to be a working laptop or other equipment. 

Draining, deleting, or encrypting confidential information

Sabotage in the "material" world requires some courage (everyone understands that it’s a crime), at the same time it becomes easier to take revenge with the help of information technology. Therefore, I want to dwell on this point in more detail.

Having access to confidential data, a fired employee can intentionally transfer it to competitors, thereby killing two birds with one stone: take revenge and receive a fee. Experience has shown, competitors are usually interested in a wide range of sensitive corporate information, starting with lists of current customers, ending with business plans, technological developments, and sometimes even passwords from corporate network resources. 

More than that, ex-employees are not just potential causes of data breaches they can also delete critical information.

In the USA, a former IT administrator who worked at a medical center, 4 days after his dismissal, connected to the organization's network and deleted all accounts of medical center employees and documents from the center's file server. At the end of this “revenge mission”, the employees of the medical center were unable to log in to their accounts and lost access to patient files necessary for operations. 

A very similar incident happened to one of our clients: 
Upon dismissal, the employee deleted about 10 thousand documents from the file server. Since the girl quit by mutual consent, the situation became an unpleasant surprise for the company. Luckily, the security department has been alarmed timely, and the deleted files were recovered from the backup.   
By using saved access, system administrators can not only delete, but also encrypt important data so to blackmail a former employer. 
In one company, the documents on the server fell prey to the encrypting virus. But so it seemed at first glance. Later it turned out that the dismissed sysadmin deliberately encrypted the documents – afterward he sent a letter demanding remuneration for decrypting the files. 

Unfortunately, illegal actions with information often go unpunished, which makes it easier for employees to commit such crimes in comparison with theft or damage to property. Last year we surveyed companies of various economic profiles, according to the survey only 12% bring the case to the court, most often the incident is solved by dismissal (in 50% of cases). Nevertheless, if an employee has already been fired, it will not frighten him in any way. 

Harming the reputation of the company or slandering the boss 

Employees may try to harm the image of the manager. Such attempts can be terribly ridiculous, but they should not be underestimated.

A former employee "registered" a former boss on several dating sites. He exposed his boss's personal data, including first name, last name, phone number, place of work, and did not forget to attach a photo. More than that, a former employee posted information about his boss’s non-traditional sexual orientation, attaching photos and videos allegedly confirming this.

How to carry out prevention measures

No company is immune from employee revenge. But it is possible- to reduce negative consequences of the incidents committed by the "avengers".
Here is a list of measures that enhance the security of the organization:

  1. Delineate access. Each employee should have access only to the information they work with. 
     
  2. Establish work regulations and responsibility for disrupting work processes. Arrange a trade secret regime in the company, so employees treat corporate information carefully. Make them sign a confidentiality agreement, which describes the responsibility for violating the trade secret regime. 
     
  3. Ensure workflow control. Video surveillance, alarm systems, and metal detectors protect against theft of material resources. To protect information put the same "detectors" on the corporate communication channels. The easiest way to do so is to implement DLP or DCAP system, which enables controlling the information movements and file storage. Ideally, all work correspondence should be conducted from corporate devices. 
     
  4. Work on company’s corporate culture. It should reflect both the rules of handling the information and the rules of team relationships. 
     
  5. Last, but not least: when you dismiss an employee, check his "personal" files. Employees often believe that the information they have been working with for a long time is their property. Employees created the customer base, drew up contracts and texts, so they are sure they have the right to use the data to their advantage. But the law is on the employer's side. Therefore, security specialist checks whether the employee is planning to take this "personal" information outside the company. If the organization has a DLP system, the check is performed automatically. 

The success of an employee’s "vengeful operation" depends on company’s protecting its infrastructure.

 


Risk assessment Former employees Human factor