Unfortunately you probably need to think abou this from the point of view of an anti-fraud/abuse team. How would you differentiate between a business that had an employee go rogue and a business deliberately trying to cause harm and get away with it?

Claiming you fired the party responsible isn’t very convincing, honestly, especially if it’s hard to verify: was it an alias? did the employee only exist on paper? are they still around just not “employeed”, were they a designated patsy? Nor are claims that you revamped your security, which doesn’t address the root problem of whether it was intentional behaviour or not. And what’s worse, the natural urgency and appeals to emotion that you include in your story are unfortunately widely used tactics by scammers to try to get a human to bend rules to their benefit, and reviewers are trained to treat them as such. You need hard evidence.

How can you demonstrate that you didn’t know what the employee was doing? Have you reported the employee to the police? Is there a criminal case you can point to? Simply having a bad process before could very easily have been an intentional way to avoid knowledge of wrong doing, another common tactic used by criminal orgs.

Best of luck.

we sent supporting paperwork to apple, and a simple search from their end will confirm things