One Employee, One Promo Code, $700K Gone

This one still hurts to think about.

At an e-commerce company I worked with, someone created a promo code for internal testing. 100% discount. No usage limit. No role restriction. No expiration date. It was meant for the QA team to test checkout flows.

The code lived in the production environment because "it's easier to test on real data." Someone on the team shared it with a colleague "just for one order." That colleague mentioned it to a friend. That friend happened to work with a CPA affiliate network — partner sites that drive traffic for commission.

Within hours, the code was circulating as the deal of the century.

From 112 Orders to a $700K Problem

No hacking. No security breach. No vulnerability in the code. Just a promo code that worked exactly as designed — with no guardrails.

In the first hour alone, 112 orders were placed at zero cost. Products were already being packed. Some had shipped. But the code didn't stop spreading after that first hour — it kept circulating through affiliate channels and social media for the rest of the day before the team managed to kill it.

Legally, if the code works on the site and the customer uses it in good faith, the order is valid. You can't just cancel them.

By the time it was over, the direct product and fulfillment losses were substantial. Add the shipping costs, customer service cleanup, legal review, and the affiliate commissions that triggered on those "sales" — the total damage reached roughly $700K.

All because a test tool existed in the production environment without access controls.

How It Spreads in Networks

In a single-location business, this kind of mistake is bad. In a multi-location network, it's catastrophic. Here's why:

Every location multiplies the attack surface. If your franchise network uses a shared platform with discount capabilities, every location manager, shift leader, and employee with POS access is a potential source of leaked codes. One person sharing one code can cascade across the entire network in hours.

Franchisees create their own promotions. In many franchise networks, individual locations run their own promotions — local discounts, loyalty rewards, event-based offers. Without centralized guardrails, each of these is a potential runaway discount. I've seen cases where a franchisee set up a "buy one get one free" promotion without an end date, and it was still running six months later, silently eroding margins.

There's no centralized inventory of active promotions. Ask your network operations team: how many active promo codes exist across all locations right now? What are their rules? Who created them? If you can't answer that in under five minutes, you have the same exposure.

What to Check in Your Network

After the $700K incident, we built a checklist that I've used on every multi-location project since:

Separate test from production. Always. No test codes, test accounts, or test configurations should exist in the production environment. If your team pushes back with "it's easier this way" — show them this story.

Every discount needs four constraints: who, how many, when, and where. Who can use it (role or customer segment), maximum number of uses, expiration date, and which locations or channels it applies to. If any of these are missing, the code is a liability.

Log everything. Every promo code usage should be logged with timestamp, location, employee who applied it, and order value. If you can't audit your discount history, you can't detect abuse until it's too late.

Centralize promotion governance. In a franchise network, HQ should have visibility into every active promotion across all locations. Not to micromanage — but to catch anomalies. A location suddenly processing 50% more discounted orders than usual is a signal worth investigating.

Run a quarterly promo audit. Go through every active code, every running promotion, every discount tier across the network. Kill anything that shouldn't be active. I guarantee that on your first audit, you'll find forgotten promotions that have been quietly costing you money for months.

The Bigger Pattern

The promo code story is extreme, but the underlying problem is universal in franchise networks: the gap between what HQ intends and what actually happens at the location level.

Every franchise network has systems where employees at locations have access to tools that can cause real financial damage — POS overrides, manual discounts, refund buttons, inventory adjustments. Most of the time, this access is used responsibly. But without proper role-based permissions and audit trails, you're relying 100% on good intentions across every employee at every location.

That works until it doesn't. And when it doesn't, the losses multiply across the network at a speed that's hard to comprehend if you haven't seen it happen.

The fix isn't surveillance or distrust. It's structure: clear permissions, sensible constraints, and visibility. Your franchisees will actually appreciate it — nobody wants to be the location where a rogue discount cost the network six figures.