Behind Being Harmed by Hacking, the Developing Risk Management of Pinduoduo

Technology Author: Yingwei Fu Jan 21, 2019 07:58 PM (GMT+8)

On January 20th, Pinduoduo reported that its system hole was exploited by a collective and hence caused great losses to the company. The risk management of Pinduoduo is yet to be developed.

Code chunk on a screen. Photo: Pankaj Patel on Unsplash

On January 20th, Pinduoduo (拼多多) reported that its system hole was exploited by a collective and hence caused great losses to the company. The hole in its system enabled customers to use CNY 100 – face-valued (USD 14.7) coupons with no restriction to purchase goods on its website. Pinduoduo is preparing to execute its right to sue those who gained improper profits from the system hole.

The public is arguing for the attribution of Pinduoduo’s losses since most coupon users were not those who are responsible for hacking in the system. However, knowing the bug but still choosing to exploit the defect is considered illegal whether in China or elsewhere in the world: in 2017, a couple in the U.S. was charged for exploiting Lowe’s website’s hole to gain improper profits. Pinduoduo’s coupon users involved in the case voluntarily and purposefully so that Pinduoduo is rightful to ask those who took improper gains to stop harm and take the responsibility for the losses.

Though, coupon users are the ones who were responsible for the losses directly whether from the legal or ethical perspective, Pinduoduo’s risk management is weak that no one could foresee never-should-happen losses introduced by its vulnerable system. No alert or intervention mechanism was set for such a huge flow of abnormal transaction activities. The jaw-dropping fact astounded the mass because Pinduoduo represents for a new force in the e-commerce industry and is believed that it is embedded with technology gene. The fact is that Pinduoduo failed to establish such a mechanism when the hacking happened at a Saturday late night, an even less-protected time than other - less staffed at weekend and more lagging in response. 

For a startup (speaking from the establishment time), Pinduoduo has been growing rapidly than most of its peers and is on the road to be a giant in its industry. Founded in 2015, Pinduoduo swiftly completed billions of funding within three years and went public at USD 19 per share in Nasdaq Stock Market with a total raised amount of USD 1.6 billion in July 2018. Pinduoduo’s growth is motivated by the classified market’s diverse demand. Being different from other e-commerce players, Pinduoduo targets at lower-tier cities and provide cost-efficient goods to its users through group purchases. The role that Pinduoduo playing is a platform that connects manufacturers and customers and boosts the supply chain’s efficiency.

To put in another language, Pinduoduo is the C2S2B’s (customer to supply chain to business) S (supply chain) ring: it collects data from customer side, and reflect to the business, or so-called production side, which leads to a simplified goods distribution from business side to customer side, reduce the financial pressure generated from inventory and information asymmetry, and satisfy consumers with consumption need. Pinduoduo is beyond a supply chain. Being an e-commerce platform, Pinduoduo is able to reallocate resources and find the optimized solution for commercial activities for its users.

EqualOcean: The Connector Role of Pinduoduo in C2S2B Model

Pinduoduo is still developing at a pace that troubles its competitors, but problems exposed during the operation should arouse enough attention for Pinduoduo’s management team. For instance, the coupon accident that caused thousands (or maybe millions)of losses should not have happened if Pinduoduo’s risk management were to be implemented as expected. The coupon accident is not a black swan event and should be foreseen by the system developer. However, for some reasons, Pinduoduo failed to manage the risk, and when the risk occurred, it had no effective control. After the occurrence of being taken improper profit by its app users, though Pinduoduo deactivated the coupon to prevent further losses, the afterwork is ongoing.

As an e-commerce body with weak cybersecurity sense, Pinduoduo had its lesson. The fintech skills might be what Pinduoduo lacks, but it should aware of the risk – at least for a known risk, and Pinduoduo’s major investor should have knowledge of the risk, especially for an investor who is partially predominating China’s mobile payment market. Pinduoduo’s investor, also the most important character in Pinduoduo’s cooperation strategy, Tencent is WeChat Pay’s (微信支付) controller, which is one of the largest mobile pay third parties in China.

Screenshot of Pinduoduo's F-1 Filing on sec.gov

WeChat Pay as one of the most matured mobile pay third parties is rich in fintech experience, not even mentioning other financial products derived from WeChat Pay’s ecosystem. Tencent has also suffered from the hacking since it is closely connected with Pinduoduo. To speak from the truth, Tencent is qualified to provide fintech consultation and offer security check for Pinduoduo, whether from an investor’s perspective or a strategic partner’s angle. Tencent’s investment style is financially investing and cooperating through providing its social network’s tunnel and payment solution, but seldom involving in actual operation, which leaves pros and cons but is a common choice for most investors. For a giant and an experienced technological-driven company, Tencent can offer more to its portfolio’ companies – like fintech security consultation for Pinduoduo.