In late December 2022, a software engineer in Seattle, Washington, was charged with stealing more than $300,000 from his former employer, Zulily. Ermenildo Valdez Castro, 28, allegedly adjusted prices of Zulily’s products and changed company code in order to “divert shipping fees” into his personal account. It turns out that the theft was inspired by the classic 1999 comedy film Office Space. Police reports detail the case more specifically but let’s take a closer look at what happened.
Office Space (Spoilers?)
The 1999 movie Office Space is about a software engineer, Peter Gibbons, who works at a company called Initech. He absolutely despises his soul-sucking job and decides to seek the help of a hypnotist. In trying to explain his feelings about work, he shares with the therapist that since joining the company, “every single day of my life has been worse than the day before it, so that means that every single day that you see me, that’s on the worst day of my life.” During the same session, Peter is then hypnotized by the therapist. But something goes awry; he’s never “snapped out” of the hypnotic trance. Since the hypnotist primed Peter for a state of “complete relaxation,” where all of his “cares and concerns are disappearing,” and his “concern about [his] job melts away,” this state of mind is now Peter’s default; he’s left in a state of perpetual hypnosis.
The Plan
When he returns to work, not only does he have no stress for the first time ever, he also has no concern or regard for work or the workplace. Shortly after, Peter and his coworkers learn that the company is downsizing. They collectively come up with the idea of plotting a revenge plan against Initech. The guys create a virus to funnel, “huge numbers of fractions of pennies,” into their own separate bank account. The whole intent behind the scam was that it would be subtle. They planned to steal cents on the dollar. This way, the theft would be so minuscule that it would be untraceable, but they made a mistake with the code. Rather than stealing a subtle amount, they ended up stealing over $300,000. This is very similar to the approach Valdez Castro decided to reenact against Zulily. He even stole close to the same amount of money.
The Office Space Inspired Theft
Ermenildo Valdez Castro allegedly told the detectives that Office Space was in fact the inspiration for his theft. He diverted customer fees from Zulily.com into his financial account, gaining money just by switching some code. Court documents say that Valdez Castro wrote a code that basically manipulated the end destination of funds. Rather than going to the manufacturer, Zulily, the money would end up in his own bank account. This allowed him to gain around $260,000 in stolen shipping fees. He also slightly changed the prices on some of Zulily’s items to gain about $40,000 in merchandise.
What Exactly Happened?
The police report accused Castro of three steps that allowed him to execute his scheme for a long time. First, starting on February 28, 2022, Castro’s original code diverted some of the customer shipping fees from the company finances to Castro’s personal account. Then, once his employer caught on and investigated the situation, he created a replacement code. This diversion created a “double charge” on shipping for a few of Zulily’s customers. Castro could then divert a “full” shipping cost to both himself and the company so it seemed less suspicious. Zulily still received all the shipping fees, but so did Castro. From this, he allegedly made $151,645.50, according to police reports.
In addition to modifying the shipment costs, Castro also made some changes to the prices of certain pieces of merchandise. He made some purchases of his own on Zulily and reduced the price of expensive items to pennies per unit. From this method, he gained $40,842.31 from his employers. In total, Castro unlawfully obtained $302,278.52 from the three different methods he utilized to hack Zulily’s code. He was officially terminated in June 2022. This scheme went on for several months after the company first detected it, so Castro made a lot of money. Just like the actual Office Space theft.
The “Office Space Project”
The police state that Zulily’s cybersecurity staff found a document on Ermenildo Valdez Castro’s laptop called “OfficeSpace project.” This file outlined the entirety of Castro’s scheme to hide any evidence of his crime by “manipulating audit logs and disabling alarm logging.” A Seattle Police Department (SPD) report states that the theft first began in February 2022. By March, Zulily detected some modifications in shipping fees, leading them to eventually discover Castro’s tactics. Ermenildo gained access to prices and data because he was on the team that investigates discrepancies in shipping fees. It ended up being ironic that he was actually one of the main contributors to the changes in these prices.
Zulily Finds Out About the Office Space Theft Scheme
Investigators on the case caught on to Castro’s scheme after some time. When they went to his house, they discovered many Zulily merchandise boxes piled up outside his front door, according to the report. Apparently Castro sent over 1,000 items to his house, as claimed by Zulily’s team. However, Castro claimed to the police during an interview that all the orders came to his house during a “testing” situation and that he forgot to return them to Zulily. He never told any of his fellow staff members about any of the orders. Clearly, this excuse was fishy and the company fired him.
Use of Computers for Financial Gain
The movie Office Space was a warning sign that computer scientists could easily manipulate code for their own financial gain. Ermenildo’s crime and conviction was clear evidence that this is a real threat. While computers and coding skills are often good to solve problems and protect devices, they can end up as a way to exploit individuals and companies.
Unfortunately, the crime is also proof that internal threats to business functions do exist. This is nothing new: there have always been corrupt employees within companies. However, now business owners face risks of larger magnitude that might be difficult to detect. In the case of this theft, it took a moment for investigators to actually find the threat and convict the criminal. Within that time, Valdez Castro was able to make about $300,000 stealing from customers. Crimes like this not only impacts the company, but might also put the individuals who shop from the business. What if the cyber criminal accessed and saved some of the data from users? Is their financial information still safe?
What Happens Next?
Ermenildo Valdez Castro was officially terminated back in June 2022 after working for the company as a software engineer since 2018. Since then, he’s been charged with two counts of theft and one count of identity theft for his crimes on December 20, 2022. Identity theft in the first degree alone can result in a 10-year prison sentence in the state of Washington and that’s just one of the counts out of three.
All businesses should be cautious of scams like this one. Even internal employees can drastically impact cybersecurity and prove to be a huge danger to the company, its employees and its customer base. Castro’s actions resulted in significant financial ramifications for Zulily and it doesn’t seem like they’re getting their money back either, seeing as how Castro told police that he spent all of the money on bad investments.
Companies should always investigate when numbers simply don’t add up or look askew. With the rise in cyber attacks and digital threats, being mindful of what’s happening within your network is essential. While many hackers come from external groups, they could also be within your own organization, impacting the daily operations of your business. The bigger the company, the more there is to keep track of. Unless you’re doing everything yourself, someone else will always be doing at least some of the work.
We encourage organizations to have policies in place to ensure that employees are trustworthy, whether that means conducting background checks prior to employment or enforcing other practices to manage employees and contractors, and maintain transparency.
Even if your organization takes measures to prevent penetration from external forces, you still have to cultivate the atmosphere of your organization to safeguard yourself from internal attacks, also known as an insider threat.
Written by Mary Grlic
