Bizarre Simpson-eque Ethical Dilemma

[Captain_Nick]

I'm in a bit a quandary at the moment. A truly bizarre set of circumstances has arisen at work and I'm not sure what to do.

I work in hospitality, for a franchisee of a national chain of about one hundred outlets. Without giving too much away, they use a custom point of sale system that has been written in a scripting language and that resides on each store's local server. I have explored this system because that's what I do, even when I'm not supposed to do it. And I have found a lot of vulnerabilities, back doors, passwords, everything. Why would anyone write a POS system in a scripting language and then leave the code on the server for anyone to see. I don't know. The company that created it are real amateurs, they don't even bother encrypting the passwords.

Which is great for me, because it turns out that this IT company uses the same password to access each of the 100 stores. And because they never thought of coding in any sort of access logs, nobody ever knows when I access another outlet's computer system.

Yes I know it's dodgy as and ethically questionable. That is a problem I have to face every day as I can't resist the temptation to stick my nose in where it doesn't belong.

So anyway I was accessing another stores server yesterday for kicks and I made an astonishing discovery. I found clusters of paid up orders that had been cancelled late at night, every night, around the same time, by the same person. In other words, an employee of this franchisee has been stealing money from the shop, for the past two months.

So you see the dilemma? I want to report this, but I can't do it without admitting to my own wrongdoing.

It's just like the episode of the Simpsons where Bart wagged school and wound up being a witness to the trial of the mayor's nephew.

 

[auntiehill]

Isn't there some way you can report it anonymously?

 

[Tosk]

^That's what I would do. Send an anon-email to the store in question that basically says, "I don't expect you to take my word for it, but it would be in your best interest to check up on what X does with customer orders."

 

[Kommander]

Point out these suspicious order cancellations, all the security flaws you found, and then ask for a raise.

 

[Christopher]

By coming clean, you have an opportunity to a) stop a thief from stealing the company's money and b) alert them to some serious security problems in their computer system, both of which could benefit them. Under the circumstances, they might be inclined to forgive the lesser transgression.

Besides, if you know this person's stealing and you don't report it, that could be interpreted (validly or not, I don't know, but it could be) as being an accessory, which would be an even worse position to be in if you were found out. Trying to hide one's mistakes often leads to worse consequences.

As a rule, Bart Simpson isn't a good role model. I think even he fessed up at the end.

 

[Robert Maxwell]

I'd check your country's computer fraud/abuse laws. In the US, you'd be doing time in federal prison for admitting to any of that, whether you found someone else's illegal behavior or not.

I'd send an anonymous tip and do whatever it takes not to have it traced back to you.

 

[Allyn Gibson]

I have some background in retail loss prevention. Here's my advice.

1) Document five or six of the cancellation incidents. Depending on what you can pull, you definitely need dates and times. You need amounts. (I'm assuming these orders are being canceled for cash.) Transaction numbers will be a definite plus.

2) If your company has an anonymous tip line, use that. Every retail company I worked had one. If your company doesn't have an anonymous tip line, write up the details you have and mail it anonymously to your corporate office, ATTN: Loss Prevention.

3) Stop digging around in other stores' computers.

I disagree vehemently with Christopher that coming clean completely will benefit you. LP will take a dim view of you taking advantage of security holes to look at the software and in other people's computers, because they'll want to know everything that you did and they've unlikely to believe that all you did is look.

Your best play there is to wait about three months and then send the corporate office another anonymous letter, this one explaining the security holes and how they can be taken advantage of. You may even want to go so far as to have it mailed from another city (and that's easily accomplished on the 'net -- you write the letter, and have someone in another city mail it for you) so it can't be connected back to your location or the earlier anon letter that outed the thief in the other store.

That's my advice. Out the person anonymously.

 

[Christopher]

I disagree vehemently with Christopher that coming clean completely will benefit you.

Your vehemence is wasted, then. I did not say "will"; I said "might."

And even if it doesn't benefit him personally, that doesn't mean it isn't still the right thing to do. Letting someone else get away with wrongdoing just to protect yourself is never right.


And has it occurred to anyone that a person's anonymity on a public bulletin board is not absolute? There are ways to identify posters through their ISPs, or by subpoenaing a board's registration records. So just by confessing the act on this board, Collingwood Nick, you may have already potentially exposed yourself. Perhaps you should consider talking to a lawyer instead of taking advice from a bunch of strangers online. At least then your conversations would be privileged.

 

[-Brett-]

Is he stealing enough to make blackmail worthwhile?

 

[Captain_Nick]

I appreciate the advice everyone. Of course I don't have to do anything at all, I can just forget what I have learned and worry about my own store. But that doesn't sit right with me. Might be time to draft an anonymous letter.

And has it occurred to anyone that a person's anonymity on a public bulletin board is not absolute? There are ways to identify posters through their ISPs, or by subpoenaing a board's registration records.

I weighed up the risks before posting this and decided they were acceptable.

 

[Captain_Nick]

Is he stealing enough to make blackmail worthwhile?

Yes, actually, more than enough. But I don't have the ability or the balls to even try that.

 

[sojourner]

If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.

 

[Captain_Nick]

If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.

I had thought of that. It is true that the POS software itself doesn't record logins or actions, but the computer still has server logs and even if the franchisee doesn't know to look at them, the police will if they become involved.

And unusual entries in the server logs linked with unusual transaction activity might lead them to the conclusion that a hacker is responsible, not an in store thief.

I had thought of a whole heap of schemes based around 'logging in and changing something' but that can only lead to more trouble for me.

I'm looking at an anonymous phone call to the store owner. He is the person who is losing money in all this.

 

[Saga]

my advice to you is to start drinking heavily.

 

[Captain_Nick]

Great success. The thief is going to lose his job tomorrow, the franchisee is grateful for the information I provided (and mildly embarrassed that he had been stooged for so long), and Nick escapes with a thank you instead of a visit to the police station.

Sometimes it pays to put self interest aside and do the right thing. Who knew?

 

[Allyn Gibson]

I disagree vehemently with Christopher that coming clean completely will benefit you.

Your vehemence is wasted, then. I did not say "will"; I said "might."

The important thing is, you were giving bad advice, no matter how you couched it, because you were speaking from a position of no experience. In such a case, vehemence is never wasted.

On another note, I'm glad the situation worked out.

 

[Christopher]

Great success. The thief is going to lose his job tomorrow, the franchisee is grateful for the information I provided (and mildly embarrassed that he had been stooged for so long), and Nick escapes with a thank you instead of a visit to the police station.

Sometimes it pays to put self interest aside and do the right thing. Who knew?

Umm... (raises hand)

 

[Captain_Nick]

By the by, that bit about not poking around in other stores computer systems again - yeah, that's good advice. I'd hate to put myself in this position again.

 

[StolenThunder]

Good story!

Did you put on a voice for the phone call? Hear any unusual clicking?

 

[Roger Wilco]

I'm unclear how that employee's scam works exactly. Could you explain it to me like I'm an idiot (which I may be, because I really don't get it)?

Anyway, nice that it had a good ending apparently.

eta: if it's just people paying for things and the employee pocketing the money himself and then cancelling the orders, I don't understand how he/she could ever think to get away with it.