In late December 2022, a software engineer in Seattle, Washington, was charged with stealing more than $300,000 from his former employer, Zulily. Ermenildo Valdez Castro, 28, allegedly adjusted prices of Zulily’s products and changed company code in order to “divert shipping fees” into his personal account. It turns out that the theft was inspired by the classic 1999 comedy film Office Space. Police reports detail the case more specifically but let’s take a closer look at what happened.
Office Space (Spoilers?)
The 1999 movie Office Space is about a software engineer, Peter Gibbons, who works at a company called Initech. He absolutely despises his soul-sucking job and decides to seek the help of a hypnotist. In trying to explain his feelings about work, he shares with the therapist that since joining the company, “every single day of my life has been worse than the day before it, so that means that every single day that you see me, that’s on the worst day of my life.” During the same session, Peter is then hypnotized by the therapist but something goes awry, and he’s never “snapped out” of the hypnotic trance. Since the hypnotist primed Peter for a state of “complete relaxation,” where all of his “cares and concerns are disappearing,” and his “concern about [his] job melts away,” this state of mind is now Peter’s default; he’s left in a state of perpetual hypnosis. When he returns to work, not only does he have no stress for the first time ever, he also has no concern or regard for work, or the workplace, whatsoever. Shortly after, Peter and his coworkers learn that the company is going to get downsized and collectively come up with the idea of plotting a revenge plan against Initech. The guys create a virus, as a way to divert funds, in which, “huge numbers of fractions of pennies,” would be funneled into a separate bank account that they owned. The whole intent behind the scam was that it would be subtle. They planned to steal cents on the dollar, so that the theft would be so minuscule, that it would be untraceable but they made a mistake with the code. Rather than stealing a subtle amount, they ended up stealing over $300,000. This is very similar to the approach Valdez Castro decided to reenact against Zulily, as well as close to the same amount of money that was stolen.
The Movie Inspired Theft
Ermenildo Valdez Castro allegedly told the detectives that Office Space was in fact the inspiration for his crime. He diverted customer fees from Zulily.com into his financial account, gaining money just by switching some code. Court documents say that Valdez Castro wrote a code that basically manipulated the end destination of funds. Rather than going to the manufacturer, Zulily, the money would end up in his own bank account. This allowed him to gain around $260,000 in stolen shipping fees. He also slightly changed the prices on some of Zulily’s items to gain about $40,000 in merchandise.
The police report accused Castro of three steps that allowed him to begin and execute his scheme for an extended period of time. First, starting on February 28, 2022, Castro’s original code diverted some of the customer shipping fees from the company finances to Castro’s personal account. Then, once his employer caught on and investigated the situation, he created a replacement code. This diversion created a “double charge” on shipping for a few of Zulily’s customers. Castro could then divert a “full” shipping cost to both his own account and the company’s account so that he seemed less suspicious. Zuilily still received all the shipping fees, but so did Castro. From this, he allegedly made $151,645.50, according to police reports. In addition to modifying the shipment costs, Castro also made some changes to the prices of certain pieces of merchandise. He made some purchases of his own on Zulily and reduced the price of expensive items to pennies per unit. From this method, he gained $40,842.31 from his employers. In total, Castro unlawfully obtained $302,278.52 from the three different methods he utilized to hack Zulily’s code. He was officially terminated in June 2022. This scheme went on for several months after first being detected, allowing Castro to obtain a lot of money before he was actually fired.
The “Office Space Project”
The police state that Zulily’s cybersecurity staff found a document on Ermenildo Valdez Castro’s laptop called “OfficeSpace project.” This file outlined the entirety of Castro’s scheme to hide any evidence of his crime by “manipulating audit logs and disabling alarm logging.” A Seattle Police Department (SPD) report states that the theft first began in February 2022. By March, Zulily detected some modifications in shipping fees, leading them to eventually discover Castro’s tactics. Ermenildo was able to gain access to such prices and data because he was a part of a team that was supposed to investigate any discrepancies in shipping fees. It ended up being ironic that he was actually one of the main contributors to the changes in these prices.
Zulily Finds Out About the Scheme
Investigators on the case caught on to Castro’s scheme after some time. When they went to his house, they discovered many Zulily merchandise boxes piled up outside his front door, according to the report. Apparently Castro sent over 1,000 items to his house, as claimed by Zulily’s team. However, Castro claimed to the police during an interview that all the orders came to his house during a “testing” situation and that he forgot to return them to Zulily. He never told any of his fellow staff members about any of the orders. Clearly, this excuse seemed fishy and he was fired from the company.
Use of Computers for Financial Gain
The movie Office Space was a warning sign that computer scientists could easily manipulate code for their own financial gain. Ermenildo’s crime and conviction was clear evidence that this is a real threat. While computers and coding skills can often be used for good to solve problems and protect devices, they can also be manipulated to exploit individuals and companies. Unfortunately, the crime is also proof that internal threats to business functions do exist. This is nothing new: there have always been corrupt employees within companies. However, now business owners face risks of larger magnitude that might be difficult to detect. In the case of this theft, it took a moment for investigators to actually find the threat and convict the criminal. Within that time, Valdez Castro was able to make about $300,000 stealing from customers. Crimes like this not only impacts the company, but might also put the individuals who shop from the business. What if some of the data from users was accessed and saved by the cyber criminal? Is their financial information still safe?
What Happens Next?
Ermenildo Valdez Castro was officially terminated back in June 2022 after working for the company as a software engineer since 2018. Since then, he’s been charged with two counts of theft and one count of identity theft for his crimes on December 20, 2022. Identity theft in the first degree alone can result in a 10-year prison sentence in the state of Washington and that’s just one of the counts out of three.
All businesses should be cautious of scams like this one. Even internal employees can drastically impact cybersecurity and prove to be a huge danger to the company, its employees and its customer base. Castro’s actions resulted in significant financial ramifications for Zulily and it doesn’t seem like they’re getting their money back either, seeing as how Castro told police that he spent all of the money on bad investments.
Companies should always investigate when numbers simply don’t add up or look askew. With the rise in cyber attacks and digital threats, being mindful of what’s happening within your network is essential. While many hackers come from external groups, they could also be within your own organization, impacting the daily operations of your business. The bigger the company, the more there is to keep track of and unless you’re doing everything yourself, there is always going to be work that’s delegated to someone else.
We encourage organizations to have policies in place to ensure that employees are trustworthy, whether that means conducting background checks prior to employment or enforcing other practices to manage employees and contractors, and maintain transparency.
Even if your organization takes measures to prevent penetration from external forces, you still have to cultivate the atmosphere of your organization to safeguard yourself from internal attacks, also known as an insider threat.
Written by Mary Grlic