I'm in a bit a quandary at the moment. A truly bizarre set of circumstances has arisen at work and I'm not sure what to do.
I work in hospitality, for a franchisee of a national chain of about one hundred outlets. Without giving too much away, they use a custom point of sale system that has been written in a scripting language and that resides on each store's local server. I have explored this system because that's what I do, even when I'm not supposed to do it. And I have found a lot of vulnerabilities, back doors, passwords, everything. Why would anyone write a POS system in a scripting language and then leave the code on the server for anyone to see. I don't know. The company that created it are real amateurs, they don't even bother encrypting the passwords.
Which is great for me, because it turns out that this IT company uses the same password to access each of the 100 stores. And because they never thought of coding in any sort of access logs, nobody ever knows when I access another outlet's computer system.
Yes I know it's dodgy as and ethically questionable. That is a problem I have to face every day as I can't resist the temptation to stick my nose in where it doesn't belong.
So anyway I was accessing another stores server yesterday for kicks and I made an astonishing discovery. I found clusters of paid up orders that had been cancelled late at night, every night, around the same time, by the same person. In other words, an employee of this franchisee has been stealing money from the shop, for the past two months.
So you see the dilemma? I want to report this, but I can't do it without admitting to my own wrongdoing.
It's just like the episode of the Simpsons where Bart wagged school and wound up being a witness to the trial of the mayor's nephew.