Site icon Sophos News

Mooncake thieves fired from Alibaba’s infosec department

Last week ushered in the 15th day of the 8th month of the lunar calendar with a full moon at night, also known as the Chinese Mid-Autumn Festival.

In other words, mooncake time!

These dense, palm-sized pastries have a rich, thick filling, typically made from red bean or lotus seed paste surrounded by a thin crust that’s sometimes glazed with salted duck egg yolks.

They’re given as gifts during the holiday: similar to how fruitcake works for Christmas, with the difference being that the recipients actually eat them.

The packaging for the cakes can get pretty elaborate. Wrapped in plastic, tucked into tins that are sometimes tucked into even bigger tins that are also wrapped in plastic. The deluxe versions can cost as much as $100, the Wall Street Journal reported in 2013.

Well, the mooncakes cost a lot more than that for four information security employees of Chinese retailing giant Alibaba who got fired last Tuesday for rigging the system to get free pastry.

As Asia One tells it, Alibaba confirmed on Tuesday that it had canned the four after they hacked into the internal sales system and ordered 124 boxes of mooncakes that had been made exclusively for Alibaba employees.

Alibaba gives every employee one free box of mooncakes that feature its corporate mascot, which looks like a human pumpkin. The company made extras, though, which it offered to sell at cost to employees who might want to buy more for their families and friends.

Of course, it’s all done through an online ordering system.

An anonymous user claiming to be one of the four dismissed employees went onto question and answer site Zhihu – China’s equivalent of Quora – to say that it was a “goofball” move.

He said he’d tried to buy a box off the sales page but failed. When he learned that others had inserted some software into the sales system to get free cakes, he cooked up his own plug-in.

Then, he turned his attention to other work tasks.

While he was busy, his plug-in went on a carbohydrate-snarfing binge, ordering 16 boxes for the alleged cheater.

He said he was “caught off-guard” when he was shown the door only 2 hours after he launched his cake thievery plug-in.

Asia One quotes him:

This is the fastest dismissal I have ever experienced. It may also rank high on the list for goofballs.

The employees’ terminations are controversial. In a heated online debate, some have said that yes, the workers should have been disciplined, but losing their jobs is too harsh a step.

Some are saying it’s Alibaba’s fault for having a vulnerable ordering system in the first place.

One IT veteran reportedly said that it’s part and parcel of the coder mentality to find holes in programs. Asia One quoted him:

For those creative coders, it is fun to find loopholes in their own company’s programs and make a joke about it.

Cake might not seem to constitute high stakes, but an insider threat is an insider threat no matter what the payoff, to my mind.

Readers, what’s your take? Did these cake eaters deserve to lose their jobs over what amounts to hacking their own employer?

Let us know what you think!


Exit mobile version