In a shocking incident that has sparked debate across India’s startup ecosystem, a newly hired employee at Gully Labs allegedly created unauthorized 100% discount codes, purchased shoes worth nearly ₹2 lakh, and resigned shortly after the orders were placed. The episode has raised serious questions about internal controls, hiring processes, and digital security within fast-growing consumer brands like Gully Labs.
The incident not only highlights vulnerabilities in e-commerce systems but also serves as a cautionary tale for startups scaling rapidly without robust oversight mechanisms.
What Happened at Gully Labs?
According to internal sources and reports circulating online, the employee had access to the backend system of Gully Labs, a popular Indian sneaker and streetwear brand known for its limited-edition drops and youth-focused branding. Within a short span of joining the company, the individual allegedly generated multiple 100% discount codes.
Using these codes, the employee reportedly ordered high-value sneakers totaling approximately ₹2 lakh. Since the discount codes applied a full waiver, the orders were processed without payment. Soon after placing the orders, the employee resigned from the company.
The unusual activity was later detected by the company’s internal monitoring systems, triggering an internal investigation.
About Gully Labs
Gully Labs has gained traction in India’s fashion and sneaker community for blending street culture with contemporary design. The brand has positioned itself as a homegrown alternative to international sneaker labels, focusing on limited collections, bold marketing, and influencer collaborations.
With the Indian streetwear market expanding rapidly, companies like Gully Labs have been scaling their operations to meet growing demand. However, rapid growth can sometimes expose operational gaps—especially in areas such as access control and internal compliance.
How Could This Happen?
The alleged misuse at Gully Labs appears to have stemmed from backend access privileges. In many e-commerce businesses, marketing or operations teams are given access to generate promotional discount codes for campaigns, influencers, or special sales.
If proper approval workflows and audit trails are not strictly enforced, such systems can be misused. Key vulnerabilities that may have contributed include:
- Lack of multi-level authorization for creating high-value discount codes
- Insufficient real-time monitoring of unusual bulk orders
- Weak access control for new employees
- Absence of spending thresholds or automated fraud alerts
Cybersecurity experts often warn that insider threats can be more dangerous than external hacking attempts. In this case, the issue appears to have originated from internal misuse rather than an outside cyberattack.
Legal and Financial Implications
If proven true, the actions could fall under fraud and breach of trust under Indian law. Companies have the right to pursue legal remedies in cases involving financial loss due to deliberate misconduct.
For Gully Labs, the immediate concern would be recovering the products or their monetary value. Additionally, such incidents can cause reputational damage, especially in a competitive market where brand trust plays a critical role.
Startups often operate in fast-paced environments, prioritizing growth and marketing innovation. However, this episode underscores the importance of governance structures even at early or mid-growth stages.
The Bigger Lesson for Indian Startups
The Gully Labs controversy is not just about one employee or one company—it reflects a broader challenge in India’s startup ecosystem.
As brands expand quickly, onboarding new employees and delegating backend access becomes routine. Without clearly defined security protocols, internal fraud risks increase. Companies must implement:
- Role-based access systems
- Strict approval hierarchies for financial actions
- Automated alerts for unusual transactions
- Regular internal audits
- Clear onboarding and exit procedures
Implementing such safeguards is not just about preventing losses—it’s about building a sustainable business model.
Industry Reaction
The story has gone viral on social media, where users expressed mixed reactions. Some criticized the employee’s actions as unethical and potentially criminal, while others questioned how a company allowed a new hire such unrestricted access in the first place.
For consumers, the incident does not necessarily reflect product quality or brand vision. However, transparency in addressing such issues will be crucial for Gully Labs to maintain customer trust.
Why Internal Controls Matter More Than Ever
With India’s direct-to-consumer (D2C) brands experiencing exponential growth, backend systems are becoming more complex. Promotional tools, coupon engines, and marketing integrations must be carefully monitored.
Companies like Gully Labs rely heavily on digital infrastructure. Even a single vulnerability—if exploited—can lead to significant losses.
As businesses adopt advanced tools for customer engagement, equal attention must be paid to risk management. This includes:
- Limiting access during probation periods
- Tracking IP addresses and user activity logs
- Setting financial caps on promotional campaigns
- Conducting regular cybersecurity assessments
What Happens Next?
Gully Labs is reportedly reviewing its internal systems and policies following the incident. While the full details remain under investigation, the company is expected to tighten security protocols to prevent similar misuse in the future.
Whether the matter escalates into a legal dispute remains to be seen. However, the episode serves as a strong reminder that internal fraud can occur even in well-intentioned organizations.
Conclusion
The alleged case involving Gully Labs—where a new employee created 100% discount codes, ordered shoes worth ₹2 lakh, and then resigned—highlights a crucial issue in today’s startup landscape: internal security cannot be an afterthought.
As India’s D2C sector grows, companies must balance innovation with accountability. Strong governance, strict access controls, and proactive monitoring are no longer optional—they are essential.
For Gully Labs, the incident may prove to be a temporary setback. But for the broader startup ecosystem, it’s a wake-up call about the importance of operational discipline in the digital age.
