- Programmer told bosses he was testing its security system and the money he had taken was just resting in his account
- Flaw in system meant that withdrawals made around midnight were not recorded in the system
A senior programmer with a Chinese bank who developed a way to withdraw more than US$1 million in “free” cash from ATMs has been jailed for 10 and a half years.
Qin Qisheng, 43, a former manager in Huaxia Bank’s technology development centre in Beijing, spotted a loophole in the bank’s core operating system that meant cash withdrawals made around midnight were not recorded.
The bank accepted his explanation that he had simply been trying to test its internal security and the cash was just resting in his own account before he returned it to his employers.
But the authorities did not accept this explanation and jailed Qin for theft in December, a ruling the appeal court upheld last month.
Qin discovered the flaw in the system in 2016 and in November that year he inserted a few scripts in the banking system which he said would allow him to test the loophole without triggering an alert.
For more than a year he made cash withdrawals of between 5,000 yuan and 20,000 yuan (US$740-US$2,965) from a dummy account the bank used to test its systems.
By January 2018 he had amassed over seven million yuan – the equivalent of just over a million US dollars – without telling his superiors what he was doing.
The money was put in his own bank account, and some of it had been invested in the stock market.
Huaxia bank said that Qin should have reported these activities, and what he did was a violation of its formal procedures, according to the court documents.
But the bank also said that it accepted Qin had been trying to investigate the loophole and they filed a request for police to drop the case after he returned the money.
The bank admitted that a formal investigation of the loopholes would have been difficult and labour-intensive to conduct and would have involved outside parties so Qin’s test might have been a way of saving the bank time and money.
“Qin Qisheng said that the matter was complicated and involved lots of work … he believed the bank would not pay attention even if he reported it,” a bank representative told the trial.
“We think this reason for not reporting is legitimate,” he added.
“The core business system of Hua Xia Bank was bought from overseas supplier, it was designed without considering the problem of night trading,” Qin said during his trial in December.
“The customer generally would not report to the bank, [so] we were not informed about this situation. The problem was definitely there, the bank just couldn’t find the reason.” Qin added.
Huaxia bank, a publicly listed concern founded in 1992, told the court it had now fixed the problem.
The irregular activity in the dummy account was detected and verified during a manual check at a subsidiary branch in Cangzhou, Hebei in January last year and the bank reported the incident to relevant authorities.
Qin was detained by police in March and the Chaoyang district court found him guilty of theft in December and sentenced him 10 and half years in jail with a fine of 11,000 yuan.
The district court said that though Qi had returned all the money to the bank before his arrest, it was not enough to spare him.
The court also said the request by Huaxia bank to pardon Qin was not legitimate.
“On the one hand, [the bank] said that the accused’s behaviour was in violation of the rules. On the other hand he said that he could conduct relevant tests. This is self-contradictory,” said the judge.
Huaxia bank did not immediately respond to requests for comment
Qin filed an appeal after the trial, arguing he did not deserve such a severe punishment.
The second and final ruling by the Beijing Intermediate People’s Court upheld the verdict.
“After reviewing the papers, speaking to the appellant and listening to the opinions of the defenders, we believed that the facts of the case were clear and decided not to have another trial,” the court said.
To read the original article: