The 99%-off MacBook caper: What a reported Best Buy exploit reveals about retail tech and insider risk

Background

Every retailer depends on exceptions. Price overrides for damaged goods, accommodation for price matches, discounts to resolve customer issues—these are the grease that keeps the in-store experience from seizing up. But every exception pathway is also a potential exploit. When those pathways are controlled by simple codes, shared logins, or easily guessed PINs, the point of sale (POS) becomes an attack surface.

That’s why a reported case out of Best Buy has drawn outsized attention: police say a store employee used a manager-level code to apply near-total discounts—up to 99% off—on coveted Apple laptops and other devices, allegedly over a period of months. The facts will be tested in court, but the allegations highlight a broader trend. Retailers have digitized nearly everything: inventory, promotions, loyalty, and returns. Yet the governance around high-risk actions at the register often looks like something from a pre-cloud era: static override codes, minimal audit of who did what, and little real-time detection when something goes wildly out of policy.

There’s a term for the cost of such gaps: shrink. The National Retail Federation has estimated U.S. retail shrink at over $112 billion for 2022, with a rising share attributed to internal actors alongside organized retail crime. Generative AI didn’t create these problems, but it has made policy supervision, exception analysis, and anomaly detection both more necessary and more feasible—if leadership decides to use it.

What happened

According to reporting based on a police affidavit, a Best Buy employee allegedly obtained and then repeatedly used a manager’s authorization method at the POS to apply extreme markdowns to high-dollar Apple products, including MacBooks. The reported pattern involved:

• Applying discounts far beyond typical policy limits, reportedly up to 99% off sticker price.
• Doing so over an extended period, suggesting the controls in place didn’t immediately flag outlier behavior.
• Targeting premium items with strong resale value, which can be liquidated quickly through online marketplaces or local resale channels.

While the affidavit’s specific numbers and timelines will be litigated, the technical gist is familiar to anyone who has audited retail systems:

• Manager overrides are often the master key. Many POS platforms allow a cashier to request an override and a manager to tap in a PIN, badge, fingerprint, or separate login to approve a price change.
• If the credentials are shared, static, or guessable, the control is weak. Even unique PINs falter if they are posted on a clipboard, reused across managers, or not rotated.
• Excessive discounts aren’t always blocked. Some configurations don’t hard-stop improbable discounts (say, more than 50% off) but instead rely on post hoc exception reports that managers may not review daily.

The upshot: a single compromised override pathway can convert inventory into near-free goods without triggering an automated fail-safe.

Why Apple devices make tempting targets

• High MSRP and liquid secondary markets: MacBooks, iPads, and AirPods sell rapidly on peer-to-peer platforms.
• Tight margins and pricing policies: Because retailers have limited headroom on Apple gear, legitimate deep discounts are rare. That makes outliers easier to spot—if someone is looking.
• Small form factor, high value: A handful of laptops can represent tens of thousands in retail value, making the risk-reward calculus favorable for would-be thieves.

How this could slip past controls

• Static manager codes: If a store uses a single numeric override shared across managers, compromise is a single point of failure.
• No multi-party approval: Extreme discounts approved by a single manager credential invite abuse. Dual control—two distinct approvals—raises the friction dramatically.
• Weak exception analytics: Many retailers still rely on weekly exception spreadsheets. By the time a pattern surfaces, the loss is sunk.
• Alert fatigue: Even when alerts exist, they may be noisy. Staff tune out dashboards that ping constantly for minor deviations, letting truly anomalous events slip by.

Key takeaways

1. Insider risk is retail’s perennial Achilles’ heel

• Most retailers invest heavily in external shrink controls (cameras at exits, EAS gates, receipt checks) but underfund internal privilege governance.
• Insider schemes can be quiet, consistent, and credible-looking because they use legitimate systems the way those systems were designed—just not for the right reasons.

2. POS security needs the same rigor as online checkout

• E-commerce flows often require MFA for high-risk actions, velocity checks, and anomaly detection. Brick-and-mortar POS rarely does for overrides.
• The control that approved a 99% discount should be at least as hard to use as the control that approves a $2,000 online refund.

3. Manager overrides should be rare—and never static

• Unique credentials per manager, rotated frequently.
• Step-up authentication (e.g., mobile push or FIDO key) for overrides above a threshold.
• Context-aware caps: a 10% goodwill discount at the register is plausible; 99% should hard-fail without corporate approval.

4. Real-time exception intelligence beats next-day reports

• Threshold alerts: immediate notification when any discount above, say, 40% is attempted on designated SKUs.
• Behavioral baselines: learn typical discount patterns per store and role; flag deviations, not just absolutes.
• Closed-loop review: require annotation (who, why) and manager sign-off inside the POS for every extreme exception.

5. Culture matters as much as controls

• If staff believe “everyone knows the override PIN,” they will treat it like a communal resource.
• Training should frame overrides as controlled substances, not conveniences. Think narcotics cabinet, not Post-it on the register.

How the tech likely worked—and failed

The override design pattern

• Cashier initiates a discount request.
• POS prompts for manager authorization.
• A manager inputs a credential (PIN/badge/biometric) to unlock the action.
• POS applies the discount and logs an event.

Where it breaks

• Credential security: Shared or predictable codes are essentially public knowledge after a few shifts.
• Identity binding: If the system can’t reliably bind the authorization to a specific human (unique account with MFA), attribution is murky.
• Policy enforcement in code: If software doesn’t encode hard caps (e.g., max 30% without district approval), it trusts policy adherence that may not exist in practice.
• Alerting and response: Without live alerts to a store leader or loss prevention team, bad behavior can persist until inventory counts go sideways.

What robust controls look like

• Least privilege: Default cashier roles cannot initiate discretionary discounts above a small threshold; managers have tiered privileges.
• Dual authorization: Discounts over X% or refunds over $Y require two distinct managers to approve, each via MFA.
• Time-boxed codes: One-time approval tokens generated per event; no persistent codes to memorize or share.
• SKU-aware thresholds: High-risk SKUs (premium laptops, phones, GPUs) have stricter caps and automatic holds.
• Computer vision tie-in: When an extreme override is approved, cameras at the register auto-bookmark footage for audit.
• Market price sanity checks: If a discount pushes the price below defined floor bands, the system blocks and requires elevated escalation.

The human layer: how insiders navigate weak systems

People don’t need zero-days when the front door is propped open. Common insider pathways include:

• Shoulder surfing and code sharing: Watching a manager type a PIN or simply asking for it “to help this one customer quickly.”
• Borrowed badges: Using a left-behind RFID badge to approve transactions.
• Role drift: Informal delegation—“just use my login today”—that slowly normalizes policy violations.
• Quiet scheduling: Executing questionable overrides during shift changes, busy hours, or when a friendly supervisor is on duty.

Once an insider confirms that an out-of-policy discount isn’t instantly detected, confidence grows. The scheme scales until an inventory reconciliation, a whistleblower, or an external investigation brings it to light.

Legal framing: not a glitch, but unauthorized access

While each jurisdiction differs, cases like this typically aren’t treated as “clever couponing.” They’re prosecuted under statutes covering:

• Theft by employee or embezzlement: Converting employer property without authorization.
• Computer-related crime or unauthorized access: Using credentials beyond the scope of granted authority, especially if the system is protected by access controls.
• Fraud or scheme to defraud: Where deception is used to obtain goods or value.

Charges can escalate with the total value involved and whether there was resale. Civil recovery and restitution are also common, and employment termination is a given once the facts are established.

Why this keeps happening in 2026

• Legacy tech debt: Many chains run POS software designed when override PINs felt adequate. Retrofitting MFA and policy engines across thousands of lanes is nontrivial.
• Operational friction fears: Leaders worry that tightening controls will slow lines and anger customers. But selective, risk-based friction can be invisible to most shoppers.
• Siloed accountability: IT owns the POS, operations owns the store, finance owns losses, and asset protection owns investigations. Cross-functional fixes stall.
• Underutilized data: Retailers sit on rich logs—who, when, what SKU, what discount. Few apply real-time analytics or machine learning to find abuse quickly.

What to watch next

• Case outcome: Expect updates on charges and whether investigators link the alleged discounts to downstream resale.
• Corporate response: Best Buy and peers will likely re-examine override policies, possibly piloting dual approvals, time-bound tokens, and tighter SKU caps on premium electronics.
• Vendor roadmaps: POS providers may push updates: built-in approval workflows, manager MFA, plug-and-play anomaly detection, and automated video-event coupling.
• Marketplace cooperation: If resale is involved, law enforcement often works with online marketplaces to trace serials and listings, pressuring platforms to flag suspicious, high-volume device sellers.
• Employee privacy vs. monitoring: Expect debate over expanded surveillance—keystroke logging, facial matching at registers, and geofencing—versus reasonable workplace privacy limits.

Practical playbook for retailers

• Map your highest-risk flows: Price overrides, returns-without-receipt, gift card activation, and cash refunds.
• Instrument with intent: Log identity, device, lane, SKU, discount %, manager notes, and video timestamp.
• Enforce in code: Set hard floors and caps; don’t rely on policy binders no one reads.
• Adopt step-up friction: MFA and dual control for actions with high loss potential.
• Alert humans, not dashboards: Push real-time notifications to a district leader or asset protection analyst when extraordinary events occur.
• Review and rotate: Credential rotation and privilege reviews tied to staffing changes; disable accounts the day a manager leaves.
• Reward whistleblowing: Confidential channels and credible follow-through reduce the time to detection.

For shoppers: are you affected?

• Customer data risk: This kind of scheme usually targets inventory, not personal data. However, any insider abuse raises concerns about whether other systems are well-governed.
• Price integrity: Expect fewer ad-hoc deep discounts on premium electronics if retailers clamp down, and more formalized, traceable price adjustments.

The bigger picture

The story is a parable about design: if the easiest path to satisfy a customer requires a god-mode PIN, someone will eventually use that PIN for something else. Good systems separate convenience from control. They add identity, context, and accountability without drowning staff in clicks. In 2026, with cheap MFA, lightweight risk engines, and off-the-shelf anomaly detection, “we didn’t know until the inventory count” is less an explanation than an indictment of priorities.

Key takeaways

• Insider exploits of override pathways are a predictable failure mode in retail POS.
• Apple devices’ high resale value and low typical discounting make them prime targets for this kind of abuse.
• Strong controls combine identity, policy-in-code, real-time detection, and cultural reinforcement.
• Retailers can add selective friction—dual approvals, MFA, SKU-aware caps—without breaking the checkout experience.

FAQ

What is a manager override?

A privileged approval inside the POS that authorizes actions a cashier can’t perform alone, such as large discounts, returns without receipts, or price matches beyond policy.

How could a 99% discount even be possible?

If the POS doesn’t enforce floor prices or maximum discount percentages in code, an authorized override can set extreme values. Systems designed around policy rather than hard limits can be permissive by default.

Would multi-factor authentication have stopped this?

MFA raises the bar but isn’t sufficient alone. The most effective pattern for extreme discounts is dual authorization with two separate identities, each using MFA, plus hard caps and real-time alerts.

Are customers’ personal data at risk in cases like this?

Typically, no. The alleged behavior targets inventory value, not customer accounts. That said, any misuse of internal credentials prompts broader security reviews.

Why focus so much on Apple gear?

It’s compact, expensive, and sells quickly in secondary markets. That combination makes losses both tempting and damaging.

Is this just a Best Buy problem?

No. The override paradox exists across retail. Any chain using shared codes or weak approval workflows is exposed.

What should Best Buy and others do now?

Implement SKU-aware discount caps, require two-person approval for high-risk overrides, bind approvals to unique, MFA-protected identities, and deploy real-time exception analytics tied to automatic video bookmarking.

---

Source & original reading: https://arstechnica.com/tech-policy/2026/02/best-buy-worker-used-managers-code-to-get-99-off-macbooks-cops-say/