Risk Factor iconRisk Factor

LAUSD Payroll System: From $95 million to $210 million


The LA Daily News reported on Sunday that the LA Unified School District (LAUSD) officials are now saying that its botched and blundered payroll system will likely cost upwards of $210 million when all is said and done. And if it is like any of the previous estimates, it is probably low by $25 to 35 million.

What's more, the newly estimated cost figure does not seem to include the $6 million in noncollectable over-payments to employees, the cost of its image consultants hired to put on a positive spin to the failure, and all the ancillary costs involved in correcting the payroll errors by everyone involved.

LAUSD officials furthermore say that to get to their projected error rate of 0.5 percent of monthly certified paychecks, teachers will have to give up the ability to get annualized pay (i.e., receiving twelve paychecks a year, instead of ten). This has not gone over well, since teachers fought for 25 years to get this benefit which was introduced only this past February when the new payroll system was introduced. The excuse for not doing so for the previous two decades plus was that the old payroll system couldn't compute the pay properly, but everyone was confident that the new and improved payroll system could. Well, it appears the new one can't either - I didn't know computers had problems normalizing using the number 12 as a base.

LAUSD officials also admit that they were over-optimistic, didn't know the project risks involved, did improper planning, scheduling and budgeting, etc., etc., but funny enough, they are having a hard time figuring out who was responsible for the mess in the first place. Must have been gremlins.

Finding Your Car at Heathrow

Jaguar-SS100-3.gif When the new $8 billion Terminal 5 opens in March of next year at London's Heathrow airport, you won't have to worry about remembering where you park your car. According to a story in USA Today, infrared cameras and sensors will be capturing a car's license plate as it enters the terminal's parking garage, and as the car makes its way inside the garage, additional cameras will be monitoring it. Cameras will also take a picture of where each car eventually ends up parking.

When passengers return from a flight, they can go to a kiosk and either enter their parking ticket or license plate number. The location of their car will then be displayed on a diagram of the parking terminal.

The parking garage will also have information telling passengers where there is open parking. You can read a story about smart parking technology in a story I wrote for IEEE Spectrum on-line here.

In a related parking story, also from USA Today, it seems that because parking is at such a premium in many areas of Britain, that fast-food restaurants like McDonald's are warning customers to eat up in 45 minutes or risk a parking fine of $150, while supermarkets and department stores, including British retail giant Tesco, are warning shoppers they too will be fined if they park for more than two or three hours. Just like at Heathrow, cameras are being used to identify the cars overstaying the parking time limits.

Cell Phone and Landline Spending Practically Equal in 2006


Data from the Bureau of Labor Statisticsâ'' Consumer Expenditure Survey (CE) show that cellular phone expenditures increased rapidly from 2001 through 2006. When coupled with a decrease in spending on residential landline phone services (residential phone services) over the same period, spending on the two types of services were practically equal in 2006.

According to the Bureau of Labor Statistics, expenditures for cellular phone services per consumer unit rose from $210 in 2001 to $524 in 2006, an increase of 149 percent. Expenditures for residential phone services per consumer unit fell from $686 in 2001 to $542 in 2006, a decline of 21 percent.

The Bureau of Labor Statistics provided no guess as to when landlines will be going the way of the telegraph.

More Lost UK Citizen Info: This Time in the US

The London Times reports that Ruth Kelly, the Transport Secretary, told MPs today that the personal details of three million UK learner drivers have been lost this past May. The data, which contained contained the name of the test applicant, their mail address and telephone number but no details of any individualâ''s bank account or credit card, was housed on a hard drive in the Iowa City offices of Pearson Driving Assessments Ltd, a company employed by the Driver and Vehicle Licensing Agency.

This unexpected disclosure came as Ms. Kelly was being asked to talk about the recent loss of two unencrypted computer discs containing the names and addresses of over 6,000 motorists in Northern Ireland.

In other news, the interim report of the "Poynter Review" investigating the loss of CDs containing the personal details of 25 million UK citizens that was expected last Friday appears not to be forthcoming after all. Now it looks like everyone is going to have to wait until the full report is finished, supposedly by June of next year, pending, of course, the amount of embarrassing information it contains.

Though no reasons was given, I suspect part of it was this little exchange during Parliamentary questioning of Mr. David Hartnett, acting Director of HM Revenue and Customs (HMRC).

"Q356 Mr Todd: I suppose one of the puzzles to anyone who knows anything about the systems is that it was actually technically possible to do this. Not that some senior manager did not know about it; it should not have been possible for one individual member of staff to produce a file of this kind and despatch it; there should have been a built in bar in your system which required some sort of intervention to achieve that outcome. That has been a puzzle to me from the start. Can you throw any light on that?

Mr Hartnett: Mr Todd, it is a puzzle to me as well, I have to say, but let me explain what was going on here because I think it may help. I think Kieran Poynter's work really has got to help us with this. The data that was in Waterview Park in the North East was drawn off from the child benefit computer system. That is in a different building and it was needed for what we call claimant compliance, to check that we were paying child benefit in circumstances where it was due. It was brought to Waterview Park and loaded up on to a secure, stand-alone desk-top computer in a secure environment, and from that the people with access to it draw off samples for our claimant compliance people with our people saying, "This is the sort of sample I need." The emails are interesting in this context, because they show no expectation at all that the data would ever have left our offices, but I think you are onto a crucial question, and that is how on earth was it possible ever to draw down a full copy? At the moment I know it clearly was possible, but---

Q357 Mr Todd: That is an issue of system design.

Mr Hartnett: Exactly; absolutely."

So, from this and other bits of Harnett's testimony, it is clear that there is a systemic security problem at HM Revenue and Customs, even as Prime Minister Gordon Brown insists there isn't.

Expect Mr. Hartnett to be shown the door early next year - I bet he'll be "wanting to spend more time with his family."

Parking In Trondheim Norway? Bring Lots of Money

parking-meter.gif The AP wire service reported yesterday that last Wednesday a computer problem caused a parking machine dispensing windshield parking permits to multiply the amount of time a motorist bought using their bank debit cards by 10,000, and automatically deducted it from their bank accounts. At least 26 motorists in the central Norwegian city of Trondheim were affected.

Motorists who parked were charged between $37,000 and $148,000, which resulted in over-drawn and frozen bank accounts.

City and bank officials said that they are trying to clear the accounts by the end of this weekend.

The parking company offered no explanation on why the error occurred only on this one machine.

UK Data Protection Rules: Too Sensitive to Share

Top-Secret.gif The Guardian newspaper is reporting today that there is an official HM Revenue and Customs (HMRC) manual describing official, strict instructions on how to share confidential information with other government departments. Unfortunately, the information contained within the manual was thought to be too sensitive to share will the staff at HMRC so instead only a few senior civil servants had access to it.

As you may recall, when the loss of the data was first announced by the UK government, it blamed junior civil servants for not following the rules. Now it appears the junior staff are not trusted with knowing what the rules are, but they will be help liable if they violate them. Sounds a little Kafkaesque.

The Guardian also reports that it has cost £2m in postage alone to send letters warning those whose data was lost that they should consider changing their bank passwords and pin numbers to prevent fraud.

Yes, Virginia: IT Security Does Seem to Be Getting Worse

USA Today reported this week that more than 162 million personal records have been reported lost or stolen in 2007, triple the 49.7 million that were reported missing in 2006.

The story notes that: "Volunteers at Attrition.org keep track of incidents, mostly in the USA, many of which are made public to meet new data-loss-disclosure laws. Of more than 300 cases tracked in 2007, 261 were reported in the USA, 16 in Great Britain, 15 in Canada, six in Japan, two in Australia, and one each in Denmark, Ireland, Sweden and Norway."

This is likely an undercount, since when the story was written, the latest cases in the Canada and the UK were not yet reported.

The story also noted that arrests or prosecutions have been reported in just 19 cases.

Okay, there is just a little under three weeks until 2008. Any guess for the final 2007 tally as provided by Attrition.org? I figure it will be around 170 million - I'm counting on the good folks in the UK government to help make the number.

Grab the Waders: UK Flood of Lost Personal Info

wading-boots-2.gif The Driver and Vehicle Agency in Coleraine, Co Derry has admitted Tuesday that two unencrypted computer discs containing the names and addresses of over 6 000 motorists in Northern Ireland have been lost in the post.

Separately, the HM Prison Service disclosed that confidential personal details of dozens of prisoners intended to be sent to Norfolk police were instead delivered to a private company. The letters gave names, criminal histories and addresses of more than 40 serious offenders that were being released - including pedophiles.

Similarly, the National Health Service (NHS) that Sefton Primary Care Trust has sent thousands of staff records to four private companies by mistake. The personal details included dates of birth, national insurance numbers, pensions and salary details.

Then yesterday, the NHS also confirmed that a computer disc containing the names, dates of birth and addresses of 160,000 children data was sent to St Leonard's Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. At least in this case, the data was encrypted using a 256 bit cipher.

UK Data Loss: No Harm, No Foul

CD_Object.gif UK Prime Minister Gordon Brown was asked MP Edward Leigh during a meeting with the Parliamentary IT body Pitcom about the IT security issues at HM Revenue and Customs (HMRC) and whether they represented a systemic failure. According to the Register, Brown said there was a difference between rules not being followed and failure of procedures and systems. (True, but irrelevant.)

Brown also added that no one had lost any money.

Right then, no harm, no foul. Play on!

Déjà vu - Sensitive Canadian Data Missing in Post

It is being reported by CTV.CA that private medical information on 140 British Columbia and 480 New Brunswick residents contained on four unencrypted magnetic tapes disappeared. Information on the tapes includes names, Medical Services Plan numbers, birth dates and possibly some description of services rendered and the costs of those services.

The information was "misplaced" on October 5, but New Brunswick medicare authorities were not made aware of the loss until Oct. 25. The province's director of medicare operations did not know about the vanished information until Nov. 29.

B.C. Information and Privacy Commissioner David Loukidelis who is investigating the loss said that he was "appalled that health information is being transmitted in such an insecure way."


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More