Accident Details


Post Office Horizon System
Domain: Accountancy
Year: 1999
Data Categories: Dynamic
Properties Lost: Integrity, Completeness, Traceability, Verifiability, History

Summary:

Non-atomic transactions and other errors in accounting software lead to false prosecutions, lost livelihoods, and suicides.

Details:

Post Office Limited is a company wholly owned by the UK government, and provides a variety of counter services to the general public. These include postal services, banking services including currency exchange, issue of international driving permits, driving licence renewals, passport application checks, benefits payments, and various other services. A small number of branches are operated by Post Office Limited itself (“Crown Post Offices”), but the vast majority are operated under contract (“Branch Post Offices”) by independent persons known as subpostmasters (SPMs).

In the 1990s, Post Office Counters Limited (POCL, the name at that time for what would become Post Office Limited), the Department of Social Security (the government department at that time responsible for the Post Office) and ICL agreed to replace the paper-based accounting scheme at Post Office branches with an electronic system, in particular to allow the payment of benefits by electronic transfer instead of cash. A pilot system known as Pathway was rolled out to a small number of branches in 1996, but was subsequently abandoned due to “greater than expected complexity”. However, POCL and ICL decided to continue with a system based on Pathway to automate branch post offices. ICL was acquired by Fujitsu in 1998, and the resulting system, known as Horizon (now known as Legacy Horizon), was rolled out from 1999 and a version that combined management accounting functions and electronic point-of-sale functions, Horizon Online, was rolled out from 2010.

From the outset, Horizon has been a data-driven system “in which any requirement which might change frequently is encoded as data, rather than software code. The code is written and tested to work with all allowed values of the data”[13]. Shortly after the introduction of (legacy) Horizon, there was a sharp increase in SPMs reporting accounting shortfalls; the products that Horizon showed they had sold far exceeded the money the SPMs had taken.

However, unlike the paper system, Horizon did not allow SPMs any access to the transaction records, so they were unable to trace the cause of the discrepancy. Under the terms of their contract with Post Office Limited the SPMs were obliged to make good any shortfall unless they could prove they were not at fault. Without access to the accounting trail there was no possible way for them to do that. Following the roll out of Horizon, Post Office Limited “prosecuted more than 700 SPMs for crimes such as theft and false accounting. Hundreds of SPMs were sent to prison and many more received punishments such as being forced to do community service and having to wear electronic tags. [...] Hundreds were made bankrupt, losing their livelihood, and many struggled after being forced to pay the Post Office to cover shortfalls that didn’t exist outside the Horizon system. The lives of the victims and their families were severely impacted, with several suicides linked to the scandal and many cases of illness caused by stress.” [14]. The shortfalls were eventually found to have been due to faults in the Horizon system and to Fujitsu staff changing the accounts, apparently on the instruction of the Post Office, without the knowledge of the SPMs.

The false prosecutions resulting from the faults in the Horizon system are at the time of writing subject to a public inquiry. The Criminal Cases Review Commission (CCRC) described the prosecutions as “the most widespread miscarriage of justice the CCRC has ever seen and represents the biggest single series of wrongful convictions in British legal history” [15]. The data issues included: * Neither SPMs nor Post Office Limited were able to access the full data necessary to identify the source of accounting discrepancies [16, §995] and in particular SPMs’ “ability to investigate was itself similarly limited. The expert agreement [...] makes it clear in IT terms (based on the transaction data and reporting functions available to SPMs) that SPMs simply could not identify apparent or alleged discrepancies and shortfalls, their causes, nor access or properly identify transactions recorded on Horizon, themselves. They required the co-operation of the Post Office [16, §1000].

  • Change control processes for the data representing the products and services provided were inadequate [13, §54].

  • Transactions within Horizon were not atomic, so transactional integrity was not maintained: if a transaction failed, the payment for the goods or service could be recorded without showing on the SPM’s point of sale system. In that case SPMs were instructed to retry the transaction, so the payment would be recorded multiple times for a single transaction. Possible causes of failure of a transaction included the speed with which a button on the point-of-sale terminal was pressed [16, §113].

  • Horizon did not maintain correct double-entry bookkeeping even within transactions that were completed normally [13, §128ff]

  • Fujitsu, apparently on Post Office Limited’s instruction, changed accounting transactions without the knowledge of the SPMs responsible for those transactions [13, §61.4].

  • Records were not kept of the occasions accounting transactions were altered by Fujitsu [16, §1013, §1014]

  • Post Office Limited staff were given unnecessary top-level security access to the accounting data [16, §390].

Links:

© 2025 Mission Critical Applications Limited. Company number 3838464.