The "Revenge" tariff: how to dismiss IT specialists the right way

How to dismiss IT specialists the right way — in tech companies and beyond. Why parting with a specialist is a business process, not a conversation driven by emotion, and ten rules that keep a company from an expensive mistake.

A 1.4 million ruble story

One IT company in Khabarovsk was left without its data by a former employee — after he had already gone. He had been dismissed for absenteeism, routinely, with no lengthy procedures. His access, though, was left untouched: the account still live, the passwords unchanged, the door open. A few days later the man calmly connected to the servers — by then from another city — and deleted the working information: contracts, counterparty records, the accounts, colleagues' personal data. And along with it, the backups. The very ones a company pins all its hopes on in cases like this.

The damage was assessed at 1.4 million rubles. The court found the former employee guilty; the sentence was two years suspended. The money the company recovered, the data only in part. And the story, as usual, it chose not to publicise.

It is worth pausing here and naming the thing plainly. This article is not about bad people, nor about how treacherous engineers can be. It is about something else: dismissing an IT specialist is a business process, not a gesture made on emotion. A process has stages, owners and checkpoints. When haste, hurt and "we'll sort it out later" stand in for a process, a company switches on a tariff without even noticing. We call it "Revenge". The bill is paid in data, downtime and money.

Why you hear so few of these stories

It might seem this is rare — a couple of cases in the whole country. The impression is misleading, and here is why. Companies are in no rush to talk about such stories. To admit that a former employee wiped your database is to admit the other half too: it was we who left his access open, we who failed to safeguard the backups, we who came to the conversation unprepared. That is uncomfortable, and most prefer to quietly recover and forget.

So what reaches the courts and the press is the tip of the iceberg. Beneath it are those who paid the tariff in silence. If "this has never happened to you", that more often means "not yet" or "it happened, but quietly" than "it does not happen here".

What the "tariff" includes

The "Revenge" bill comes in different sizes — depending on what the person still holds and how angry they are. Here is what makes up that bill, and behind every item stands a real case.

Ransomware and ransom. In Moscow, a former lead engineer at a large company, having resigned, launched a ransomware virus into his former employer's network, locked the client databases and demanded 27 million rubles for decryption. The case is being handled by the Investigative Committee and the FSB; it is now in court — under three charges at once, including extortion.

Bringing the infrastructure down. A Citibank employee, on the day his work was being reviewed, wiped the configuration that evening on nine of ten core routers and took down connectivity across almost the entire bank network in North America. To a colleague he wrote briefly: "They were firing me. I got there first." He received 21 months in prison.

Deleting personal data. In Seversk, a software engineer at a billing centre copied to himself and then wiped from the server the databases holding residents' utility-payment data. The court imposed restriction of liberty.

A logic bomb. This is when the person leaving plants code in the system that goes off later — say, on the first day of the new financial year, when no one expects a failure. According to the lawsuit, that is what a system administrator at one US company did, after fourteen years there.

One thing unites these bills: not a single one of them would have been issued had the parting gone as a process rather than as a flare-up.

Why "Revenge" switches on at all

Look at the figures from those who study such cases professionally. The US-based CERT institute, having examined hundreds of episodes of insider sabotage, notes a pattern: it is more often former employees, not current ones, who harm a company. According to data cited by CISA, the specialist cybersecurity agency, in sabotage episodes 85% of people had a grievance before they did anything, and almost always that grievance was work-related.

The picture that forms is clear and bleak. Revenge is rarely spontaneous: it is thought through while access is still in hand, and carried out once the person has been dismissed. The danger is not the "bad person" as such, but the combination of two things the employer controls: a live grievance and access not closed in time. Remove either one and the tariff will not switch on.

Parting as a process: ten rules

What follows is what turns a dismissal from an emotion into a managed process. Half the rules are technical, half are human, and they only work together.

1. Decide on access before you decide on the conversation. Before you say "we are parting ways", you should already have a map in hand: what the person has access to — servers, clouds, email, code repositories, VPN, service accounts, the physical pass. Until that map exists, you are not managing the situation, you are hoping for luck.

2. Close access at the same time as the conversation, not "tomorrow". The best moment to revoke rights is while the conversation itself is going on. "We'll do it on Monday" is an open door across the whole weekend. In the Khabarovsk case it was precisely a few such days that decided everything.

3. Change the secrets, not just the logins. Blocking an account is not enough. A departing administrator remembers the passwords, keys and tokens — and gets in around the block. So you change passwords, access keys and VPN certificates, deal with service accounts and check that no one has left a "back door". It is like changing the lock rather than just asking for the key back: the spare is still out there. In the Canadian Pacific case, the specialist was allowed to resign voluntarily, but the work laptop and access token were left in his hands and the administrator rights were not revoked — and two days later he deleted accounts and changed passwords himself.

4. Protect the backups separately. A backup is the last line of defence, and it is the first thing revenge goes after. Backups should sit where ordinary administrator access cannot reach them, and in such a way that they cannot be wiped all at once. In the Khabarovsk case the data was destroyed together with the backups — and that turned a recoverable nuisance into an irreparable loss.

5. Do not humiliate. Dignity is not courtesy, it is security. Reviewing someone's work on the day of dismissal, walking them out under guard in front of the team, a demonstrative wiping of everything — that is not "firmness", it is a trigger. CISA explicitly advises parting in a way that lets the person leave with their face intact, and calls it a security measure, not good manners. The Citibank story is exactly this: a conversation about work in the morning, a wiped network in the evening.

6. Do not leave the person in limbo. The most dangerous combination is when an employee has already been sidelined, is still aggrieved, but has kept their access. Either the person calmly works on to the agreed date, or they leave at once — with access closed and face intact. A drawn-out "neither dismissed nor working" feeds the very grievance that later looks for a way out.

7. Remove the "single point of failure" person. If the whole system rests on one specialist and only they know how it is built, their departure is a hostage situation even without ill intent. Documentation, a second person who is in the loop, a handover prepared in advance — these remove two troubles at once: the risk of sabotage and the panic of the empty chair.

8. Watch what happens after the departure. A dismissal does not close the subject. The grievance remains, and the former employee knows the back routes. It is sensible, a few weeks after the departure, to keep an eye out for anomalies — login attempts, odd queries to databases and backups. Security specialists put the period at one to three months.

9. Formalise the parting by the rules — and calmly talk them through. A handover record for equipment and access, a reminder about non-disclosure, a note on what may not be taken. And plainly, without threats: access to company systems after dismissal is no longer a labour dispute but an article of the Criminal Code with real sentences. Not to frighten — so that the person clearly sees the line.

10. Part in a way that brings people back for a reference, not for revenge. An honest settlement, a calm conversation, a "thank you for your work" — these are not sentimentality. The best defence against revenge is leaving the person nothing to take revenge for. There are different ways to dismiss someone: one in which the specialist leaves and, given the chance, recommends you to a colleague, and one in which they leave to go and count your weak spots.

This is not "a falling-out" — it is an article of the Criminal Code

It is worth spelling out separately, because in the heat of the moment both sides forget it. Deleting data, locking systems, launching ransomware by a former employee is not "he got carried away". These are Articles 272 and 273 of the Russian Criminal Code — unlawful access to information and malware; when critical infrastructure is affected, Article 274.1 is added, and when a ransom is demanded, extortion. The sentences in such cases are real: from restriction of liberty to imprisonment, with confiscation of equipment. That will not return lost data to a company, but it is useful to mark the line calmly and in advance when parting.

How The One helps here

Look closely and not one of these stories is really about revenge as such. Each is about a hole in the company's map of processes: a stage that was missing, an owner who was not assigned, a check that no one carried out. Dismissing an engineer simply turned out to be the place where the hole became visible — and cost dearly.

At The One we help find such places in advance. This is our work — to audit a company's management processes, to see the weak spots and blank areas in the map of business processes, and to help close them before they turn into a bill. Parting with an employee is only one such process; usually, pulling on it, you find the neighbouring gaps too.

And one more thing, honestly. A calm, considered parting is impossible when there is no one to replace the person leaving: the fear of the empty chair pushes you to drag things out to the last and decide in haste. So healthy work with people — from hiring to parting — is one map, and it is easier to keep it free of holes when there is someone to entrust both the search for a replacement and an outside view of the processes.

If you want to check your map of processes for blank areas, write to us. And in the meantime, you can see how we work through the neighbouring forks: "An offer turned down: where a Russian IT company loses at the final stage", "How to rebuild a strong specialist's compensation — and not lose them", "Doubts during probation: deciding by facts, not emotions".