Risk Factor iconRisk Factor

Photograph of the Glen Canyon Dam, altered in Photoshop to look more otherworldly and dangerous.

Two Critical U.S. Dams at High Risk From Insider Cyber Threats

The U.S. Bureau of Reclamation, a part of the Interior Department, operates more than 600 of the some 100,000 dams in the United States, five of which are considered part of the national critical infrastructure. This means that the incapacitation or destruction of either the Glen Canyon Dam in Arizona, the Shasta or Folsom Dams in California, the Hoover Dam in Nevada, or the Grand Coulee Dam in Washington State would, in the Department of Homeland Security’s words, “have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The Interior Department’s Inspector General released a report (pdf) this week stating that two of the dams’ industrial control systems, while seeming secure from being attacked remotely, operate “at high risk from insider threats.” The report, which does not identify the two dams in question due to security concerns, lists a number of rudimentary cybersecurity practices that were not being followed. These included limiting system administrator access to the control systems and conducting rigorous background checks on individuals’ granted system privileges.

Read More
Photograph of someone giving a thumbs down, with the Canadian flag painted on their hand.

Canadian Government’s Phoenix Pay System an “Incomprehensible Failure”

Canadian Auditor General Michael Ferguson’s latest assessment of the country’s misbegotten attempt to develop a new government-wide payroll system was blunt: “The building and implementation of Phoenix was an incomprehensible failure of project management and oversight… Overall, we found that there was no oversight of the Phoenix project, which allowed Phoenix executives to implement the system even though they knew it had significant problems.”

As a result of world-class project mismanagement on the Phoenix project, the Canadian government now owns and operates a payroll system “that so far has been less efficient and more costly than the 40-year-old system it replaced,” Ferguson states.

Read More
Photo-illustration of facial recognition.

Automated Facial Recognition: Menace, Farce, or Both?

The American Civil Liberties Union (ACLU) and several other groups dedicated to protecting civil rights and liberties recently sent a letter (pdf) to Amazon demanding that it stop selling its automated facial recognition (AFR) system called Rekognition to government agencies, especially police departments. According to the groups, doing so “poses a grave threat to customers and communities across the country.”

In its letter, the ACLU argues that Amazon, which has in the past opposed secret government surveillance, should not be in the business of selling AFR technology that the company claims can “identify people in real-time by instantaneously searching databases containing tens of millions of faces.” Further, the ACLU insists, Rekognition’s capability to track “persons of interest,” coupled with its other features which “read like a user manual for authoritarian surveillance,” lends itself to the violation and abuse of individuals’ civil rights.

Read More
Photograph of caution tape on a tablet surrounded by medical items.

The U.S. Defense Department's Deeply Flawed Electronic Health Records Program

A US $4.3 billion electronic health records program for the U.S. Department of Defense is “neither operationally effective nor operationally suitable,” according to a recently released memo and report from the agency’s director of operational test and evaluation.

Robert Behler pulled no punches in his assessment of the new Military Health System Genesis program, also known as MHS Genesis, and its nascent roll out at three military treatment facilities.

“MHS GENESIS is not operationally effective because it does not demonstrate enough workable functionality to manage and document patient care,” he states. “MHS GENESIS is not operationally suitable because of poor system usability, insufficient training, and inadequate help desk support.”

In his report, Behler indicated that a fourth treatment facility wasn’t assessed because officials wanted a chance to fix the plethora of problems found at the other three sites first.

This may sound like a damning indictment of the program, but according to those in charge of MHS Genesis, everything is going according to plan.

Read More
Women with a medical professional preparing to get a breast exam

450,000 Women Missed Breast Cancer Screenings Due to “Algorithm Failure”

Nearly half a million elderly women in the United Kingdom missed mammography exams because of a scheduling error caused by one incorrect computer algorithm, and several hundred of those women may have died early as a result.

Last week, the U.K. Health Minister Jeremy Hunt announced that an independent inquiry had been launched to determine how a “computer algorithm failure” stretching back to 2009 caused some 450,000 patients in England between the ages of 68 to 71 to not be invited for their final breast cancer screenings.

The errant algorithm was in the National Health System’s (NHS) breast cancer screening scheduling software, and remained undiscovered for nine years.

Read More
A customer using the TSB Online banking app on an iPhone reads a message from TSB CEO Paul Pester apologizing for IT issues which left online customers unable to access their money and some able to see other people's accounts.

New Software System Snags TSB’s Online and Mobile Banking Customers

Paul Pester, chief executive of TSB bank in the United Kingdom, expressed his regret Wednesday during a Parliamentary Treasury Committee inquiry into the service disruptions caused by the bank’s move to a new IT system. Pester was especially remorseful since his decision has severely damaged the bank’s reputation, infuriated tens if not hundreds of thousands of customers who could not access their bank accounts, and so far has cost Pester an “integration bonus” of at least £1.6 million, if not eventually his job.

Read More
An IRS error message appears on a laptop

IRS Warned Congress of “Catastrophic System Failure” Six Months Before Tax Day Outage

On 17 April 2018, the final day for U.S. citizens to file 2017 tax returns, the U.S. Internal Revenue Service (IRS) suffered a major system failure related to the hardware supporting its 58-year old, 20-million line Cobol-based Individual Master File system (pdf) which is still being used today to process the vast majority of individual tax returns. As a result of the failure, the IRS extended by a day the filing due date.

Back in 2016, there was another hardware failure that affected the electronic filing of annual tax returns, but luckily, that event happened in February rather than on the April filing due date when millions of returns are typically sent in.

Read More
A tablet sits on display at a Uber Technologies Inc. office

FTC Puts Uber on a Short Leash for Security Breaches

It’s not nice―or smart―to deceive the U.S. Federal Trade Commission, especially while you’re in negotiations with the agency over penalties it’s going to impose for previously being dishonest.

Last August, the ride-hailing company Uber entered into a consent agreement with the FTC regarding its supposedly “securely stored” and “closely monitored” (pdf) customer and driver information. Uber bragged that it was using “the most up-to-date technology and services to ensure that none of these are compromised,” and promised that information was “encrypted to the highest security standards available.”

Alas, the FTC found these claims were more chimera than reality. As a consequence of its lackadaisical security practices, Uber experienced a data breach in May 2014 that allowed attackers to access the names and driver’s licenses of 100,000 Uber drivers, along with many of the drivers’ bank accounts and Social Security numbers.

Read More
Hands on a computer

Samsung Securities' $105 Billion Fat-Finger Share Error Triggers Urgent Regulator Inquiry

Last week, an employee of Samsung Securities Co., Samsung Group’s stock-trading entity and one of the largest trading companies in South Korea, accidentally issued shares worth some $105 billion to 2,018 of its employees who are members of its stock-owner program. The employees in the program were supposed to receive a dividend totaling 2 billion won (or about $0.93 per share they owned), but were mistakenly issued 2 billion shares instead. The amount issued was more than 30 times the total number of outstanding Samsung Securities’ shares.

Embarrassingly, Samsung Securities admitted that it took 37 minutes to fix what had occurred after it became aware of the problem. Even more humiliating, sixteen Samsung Security employees were able to still sell off some 5 million shares of their payout, despite repeatedly being warned not to do so by their managers. Perhaps the warnings were ignored because they were able to make about 10 billion won ($9.3 million) each. Four other employees tried to sell their shares, but their trades were stopped before being completed.

Read More
Photograph of a man exiting a building labelled with a Commonwealth Bank of Australia sign in Sydney, New South Wales, Australia.

Commonwealth Bank of Australia Tries to Explain Coding Errors Found After 4 Years

The Commonwealth Bank of Australia, the country’s largest bank, finally got around to explaining last week why two software coding errors first disclosed in 2016 laid hidden for more than four years. The errors allowed the approval of personal overdrafts for 9,577 of its customers that should have been declined, while also approving another 1,152 customers for higher overdraft limits than they were qualified for. Many of the customers were in financial distress, and the erroneous approvals allowed them to dig themselves into even deeper financial trouble. The interest rate the bank charged customers on an overdraft was a hefty 16.6 percent.

The coding errors were created in July 2011 when the bank introduced an automated decision tool to process customer overdraft applications, but the problems weren’t discovered until September 2015. During the calculations that decided whether a customer could actually afford an overdraft, one software error in the decision tool’s algorithm failed to count a customer’s rental expenses, while another error accessed a wrong data field that was used for determining a customer’s overall household expenditures. The result was that a customer’s true expenses where likely underestimated or under-assessed. The Australian Securities and Investments Commission (ASIC) fined the bank AU $180,000 for the coding errors on top of the AU $2.5 million the bank had to write off in customer loan balances.

How was the error discovered?

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More