Yes, and what about the possibility that an attacker already accessed this database and added themself as an employee?

Would you rather to be prepared and do a full (well, for a govt agency, full enough) check on all people allowed to access flying death machines, or have a dev silently fix the issue with possible issues later?

ya because the person who developed this is totally trustworthy to fully fix it and assess any other possible vulnerabilities. he definitely isn't gonna just add a front end validation to throw a message on the front end when you submit a single quote...