Disgruntled Employees

There are many factors that contribute to disgruntled employees in the workplace. However, the process typically begins with an employee feeling overworked, underpaid, unappreciated, or passed up for a promotion. In fact, a job satisfaction survey conducted by The Conference Board Consumer Confidence Survey® highlights the five components that US workers are least satisfied with. To enumerate, they are:

  1. promotion policies (25.4 percent)
  2. bonus plans (25.5 percent)
  3. educational/job training programs (30.8 percent)
  4. the performance review process (31.2 percent)
  5. recognition/acknowledgement (34.3 percent)

Disgruntled Employees

Research from the 2022 Verizon Data Breach Investigations Report indicates that Insiders are responsible for around 18% of security incidents.

Disgruntled employees possess two components needed to cause damage: access and motivation. Additionally, a survey conducted by Deep Secure reports that nearly half (45%) of office employees are willing to sell corporate information to outsiders. Notably, just £1,000 would be enough to tempt 25% of the surveyed employees. What information would they be willing to sell? It could include confidential and/or proprietary information, as well as financial information, and/or high-level administrative privileges to corporate applications.

When issues arise in the workplace, it’s important to realize that this can create an emotionally charged environment. As a result, a productive employee may now become a disgruntled employee. The subsequent risk to the company may be varied and significant. It could include spreading negative comments on social media platforms such as LinkedIn or Facebook. In addition, it could include theft of physical and or intellectual property as well as deliberately leaking sensitive and or confidential/proprietary information. As a result, companies may experience financial loss, loss of company credibility, and potential lawsuits.

In addition to disgruntled employees, it’s important to consider the other insider threat; the ex-employee who maintains access to corporate applications.

The Ex-Employee

According to a survey conducted by OneLogin an alarming 50 percent of ex-employees retain access to corporate applications after their employment has ended. This continued access can become the Achilles heel for the company. If the ex-employee leaves acrimoniously, the motivation exists to use that access to orchestrate a crippling attack.

What if the employment is terminated to the satisfaction of both parties? Is there still a risk? There certainly is. An ex-employee can be recruited at a later date by malicious actors offering financial incentives for access. This threat is real.  According to OneLogin, 20 percent of the companies surveyed experienced a data breach due to failure to de-provision an employee.

Examples of Disgruntled Employees

There are many real-world examples of the dangers from disgruntled employees as well as ex-employees who maintain credentials.

Apples Huge Reveal—Not so Much!

Just days before Apples’ 2017 huge reveal, a disgruntled employee is believed to be the leak that compromised the anticipated event centered around the iOS 11 GM. According to a September 9, 2017 AppleInsider report, it is suspected that a disgruntled employee revealed proprietary/confidential information regarding new features and hardware of the iOS 11 GM.  Included in the leak was information on the new LTE Apple Watch, new AirPods revision, “Face ID” facial recognition details and setup process, a new “animoji” feature for Messages, and the apparent marketing names of Apple’s forthcoming iPhone lineup; iPhone8, iPhone 8Plus, and iPhone X.

Morrisons Supermarket Payroll Leak

In 2014, Andrew Skelton, a senior IT auditor employed by Morrisons Supermarket PLC, deliberately leaked the payroll information of approximately 100,000 current and former Morrisons’ employees to a file-sharing website and to three English newspapers. The motivation? The IT auditor held a grudge against Morrisons due to an earlier internal disciplinary matter.  Morrisons continues to experience the damaging consequences caused by this disgruntled employee. Over 5,000 current and former Morrisons’ employees filed a class-action suit against the company for damages incurred from the information leak.

Georgia-Pacific Mill Hack

IT specialist and systems administrator, Brian P. Johnson, will be spending 34 months in federal prison and will have to pay $1,134,828 in damages for hacking his former employer, Georgia Pacific. Mr. Johnson was terminated from his employment on February 14, 2014, and escorted off the George-Pacific’s Hudson Mill premises. Despite his termination, his access to corporate applications remained in place. Mr. Johnson was found to have an open virtual private network connection to the Georgia-Pacific Mill’s network. With this connection, Mr. Johnson intentionally transmitted harmful code and commands to the system, in some instances bringing the mill’s production to a stand-still.

FBI agents assigned to the case concluded that Mr. Johnson intentionally sabotaged his former employer as payback. In February 2016, Mr. Johnson plead guilty to his crimes.

What You Can Do

There’s a popular saying that “knowledge is power.” All employees require a certain amount of knowledge to empower them to do their work. However, here are a few questions to think about:

  • How much “power” do your employees have based on the access or “knowledge” of corporate applications they possess?
  • Do they need the access they have to do their job?
  • Are policies and guidelines in place to recognize the signs of a disgruntled employee?  
  • Is a policy in place to ensure access to corporate applications cease when employment ends?

This article by the CERT Division of the Software Engineering Institute (SEI) provides a list of 19 best practices that can help mitigate the risk of IP theft, IT sabotage, and fraud that may exist due to a disgruntled or ex-employee.

disgruntled employees
CERT Insider Threat Best Practices


In addition, check out our blog, Insider Threats—Recognize and Respond to the Threat Within, here.