Skip to content
Naked Security Naked Security

Mooncake thieves fired from Alibaba’s infosec department

Mooncakes: they're like Christmas fruitcakes, except that the recipients actually eat them.

Last week ushered in the 15th day of the 8th month of the lunar calendar with a full moon at night, also known as the Chinese Mid-Autumn Festival.

In other words, mooncake time!

These dense, palm-sized pastries have a rich, thick filling, typically made from red bean or lotus seed paste surrounded by a thin crust that’s sometimes glazed with salted duck egg yolks.

They’re given as gifts during the holiday: similar to how fruitcake works for Christmas, with the difference being that the recipients actually eat them.

The packaging for the cakes can get pretty elaborate. Wrapped in plastic, tucked into tins that are sometimes tucked into even bigger tins that are also wrapped in plastic. The deluxe versions can cost as much as $100, the Wall Street Journal reported in 2013.

Well, the mooncakes cost a lot more than that for four information security employees of Chinese retailing giant Alibaba who got fired last Tuesday for rigging the system to get free pastry.

As Asia One tells it, Alibaba confirmed on Tuesday that it had canned the four after they hacked into the internal sales system and ordered 124 boxes of mooncakes that had been made exclusively for Alibaba employees.

Alibaba gives every employee one free box of mooncakes that feature its corporate mascot, which looks like a human pumpkin. The company made extras, though, which it offered to sell at cost to employees who might want to buy more for their families and friends.

Of course, it’s all done through an online ordering system.

An anonymous user claiming to be one of the four dismissed employees went onto question and answer site Zhihu – China’s equivalent of Quora – to say that it was a “goofball” move.

He said he’d tried to buy a box off the sales page but failed. When he learned that others had inserted some software into the sales system to get free cakes, he cooked up his own plug-in.

Then, he turned his attention to other work tasks.

While he was busy, his plug-in went on a carbohydrate-snarfing binge, ordering 16 boxes for the alleged cheater.

He said he was “caught off-guard” when he was shown the door only 2 hours after he launched his cake thievery plug-in.

Asia One quotes him:

This is the fastest dismissal I have ever experienced. It may also rank high on the list for goofballs.

The employees’ terminations are controversial. In a heated online debate, some have said that yes, the workers should have been disciplined, but losing their jobs is too harsh a step.

Some are saying it’s Alibaba’s fault for having a vulnerable ordering system in the first place.

One IT veteran reportedly said that it’s part and parcel of the coder mentality to find holes in programs. Asia One quoted him:

For those creative coders, it is fun to find loopholes in their own company’s programs and make a joke about it.

Cake might not seem to constitute high stakes, but an insider threat is an insider threat no matter what the payoff, to my mind.

Readers, what’s your take? Did these cake eaters deserve to lose their jobs over what amounts to hacking their own employer?

Let us know what you think!


6 Comments

Both parties are at fault here. The employer for using such a broken vulnerable system and the employees for exploiting it for personal gain rather than going through proper channels to make the employer aware of the vulnerability. Losing their jobs is harsh as they likely did the employer a favor in the end, but the execution was completely wrong.

maybe they should have just made them listen to drake for a few minutes… that would have been enough torture i think

No, it’s not the employer’s fault. I agree that firing was too harsh. The ease of theft is not a factor. It’s not OK to steal from someone’s car because they left their window open.

Trusting your IT staff is critical, so there must be harsh penalties for violations of that trust. Having security staff willfully spending time to build something to steal from their employer (the fact that it was merely cakes is irrelevant in my opinion) is absolutely unacceptable. Because if you steal this, you might be more open to stealing that. I’m pretty sure if you worked at a retail establishment and were caught shoplifting from said store you would be subject to immediate termination. This is no different; and it being perpetrated by SECURITY staff is even less acceptable. That’s like having your store safe robbed by your store security personnel. I think Alibaba did the right thing here marking this behavior as absolutely unacceptable. If you find a flaw in the system it’s your job to responsibly report it, not exploit it for personal gain.

Stealing from your employer is grounds for dismissal no matter what was stolen or how easy it is to steal.

Strange logic to suggest that stealing is okay because it was easy to do. I don’t see it that way. Some things are simply wrong. There are three simple rules that cover many moral questions: If it isn’t yours, don’t take it; if it isn’t true don’t say it; if it isn’t right, don’t do it.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?