Topics like Generative AI are deservedly receiving a lot of attention regarding software and data trust these days, but another software trust story that caught my attention is the U.K. Post Office Scandal, something I first started reading about in 2023. The scandal is centered around a dystopian software solution that turned on its sub-postmaster users, falsely charging over 900 with theft, sending over 200 to prison (including at least one who was pregnant), ruining countless lives, and is morally responsible for least four suicides. And this from accounting software. Accounting software. Accounting software should be predictable and boring, not falsely send people to prison. The story defied belief, yet it was true.
The U.K. Post Office Scandal should be required software ethics reading for all software professionals, whether a student or grizzled veteran. The story is massive and deserves an entire book, but these are some of the major points as I understand them.
Who Owns What
To a U.K.-outsider, the Royal Mail and the U.K. Post Office sound like the same thing, but they are not. Their origins date roughly to the 16th and 17th centuries and through other now-defunct governmental entities such as the General Post Office, but have diverged in the recent years. The U.K. Post Office is a private company owned by the British Government. The Royal Mail started selling shares publicly in 2011, and when the British Government sold off their remaining stake in 2015, it made the Royal Mail an entirely private and non-governmental entity. We’ll come back to this later.
Horizon
The scandal centers around an accounting and financial system called Horizon, which was implemented by Fujitsu in 1999 under contract from the Post Office. Branches were moving from paper-based accounting, which had been in place for hundreds of years. The desire to convert to digital was not entirely crazy, at least on paper (bad pun intended).
Sub-postmasters ran the approximately 11,000 local branches of the Post Office. They were self-employed and under contract from the Post Office, and not Post Office employees. While this relationship was not new at the time of Horizon, it would be the foundation of an adversarial dynamic. Additionally, the sub-postmasters’ contract with the Post Office stated explicitly that they were liable for shortfalls. This was the critical paragraph:
- “The Operator shall be fully liable for any loss of or damage to, any Post Office Cash and Stock (however this occurs and whether it occurs as a result of any negligence by the Operator, its Personnel or otherwise, or as a result of any breach of the Agreement by the Operator)… Any deficiencies in stocks of Products and/or any resulting shortfall in the money payable to Post Office Ltd. must be made good by the Operator without delay so that, in the case of any shortfall, Post Office Ltd. is paid the full amount.”
With the old paper-based system, the sub-postmasters had full access to all records for an audit. With Horizon, the sub-postmasters effectively had to trust the system. If Horizon said a sub-postmaster was short, then the sub-postmaster was short and had make up the difference themselves … or else. Remember how the Post Office was owned by the British Government? That made Horizon issues not just civil, because the Post Office can act as a prosecutor for criminal charges.
In terms of the financial scale of the project, Fujitsu’s contract for the Horizon implementation was the largest non-military contract in Europe at the time. When government contracts get this big, they also can get political in very weird ways, where truth and accuracy become precious.
The scene was already set for something ominous, but it got worse. Horizon had originally been created in 1996 by computer company ICL (acquired by Fujitsu in 1998) as a swipe-card system for payment of pensions and benefits from Post Office branch counters. By 1999, the House of Commons public accounts committee deemed it “one of the biggest failures in the public sector” at a cost of £700 million (nearly U.S.$900 million). Rather than write the project off, to save face this software mess was repurposed. This is what the Post Office started using in 1999 as the foundation of its branch accounting system. Yikes.
The Prosecutions
Problems with Horizon started almost immediately, with shortfalls appearing out of nowhere and increasingly, literally in front of sub-postmasters’ eyes. They weren’t rounding errors, either—shortfalls were hundreds of pounds, thousands of pounds, tens of thousands of pounds, and more. These were large and life-affecting amounts of money.
When sub-postmasters complained of Horizon issues, Fujitsu and the Post Office both insisted that they were the only ones having problems, and whatever was happening was their own fault. That deliberate gaslighting went on for years.
The Post Office pursued payment on shortfalls, and failing that, prosecuted with vengeance. The Martin Griffiths case is archetypal. He had already been running a Post Office branch for 14 years, but four-figure discrepancies started showing up by 2009. By 2011, the discrepancies grew to £23,000. Between January 2012 and October 2013, another £57,000 went “missing.” Griffiths had to turn to his parents, who lent him their life savings. There were almost 1,000 other instances of this, ending in a combination of termination, bankruptcy, or prison. Or all three. Griffiths later stepped in front of a bus.
On top of the malignant software, the sub-postmasters had a feeling there was a ghost in the machine and that somebody was accessing and modifying their accounts without their knowledge. The Post Office insisted for years that nobody had access to branch accounts and this was impossible. Naturally, that was exactly what Fujitsu was doing behind the scenes.
The Investigations and Re-Assurances
Alan Bates, a former sub-postmaster, led a home-grown response for his own case and other sub-postmasters after his contract was terminated in 2003 due to shortfalls in Horizon.
National Federation of Sub-Postmasters is an organization founded in 1897 with the goal to “improve the conditions under which subpostmasters labour and to undertake the advancement of our interests by all legitimate and honourable means.” This sounds exactly like an organization that would come to the aid of affected sub-postmasters. However, the organization was insisting as late as 2015 that the system was “robust.” The sub-postmasters were truly on their own.
Computer Weekly broke the story in 2009 through the efforts of Alan Bates and other sub-postmasters. The news satire magazine Private Eye started covering it in 2011 as well, and has not let up. It is somehow fitting in this insane story that those who first recognized the scandal for how serious it was were computer nerds and humorists, well before the mainstream media.
Ernst & Young (EY) was the long-time auditor of Horizon until 2018. An EY report sent to Post Office directors in 2011 warned that Fujitsu staff had “unrestricted access” to sub-postmasters’ accounts, that “may lead to the processing of unauthorised or erroneous transactions.” This fact did not come to light until years later, because it was buried by the Post Office.
A forensic accounting company, Second Sight, was brought to attempt a review after pressure was applied from some Members of Parliament. Second Sight, according to the BBC, “was brought in by the Post Office in 2012 to look into the Post Office’s IT and business processes, but it was later sacked after the Post Office became worried about the conclusions it was drawing.”
Deloitte was engaged for an audit, and wrote a draft of something called “The Bramble Report” in 2016, noting that authorized access was not just possible, based on a sample of account transactions not approved by sub-postmasters, but was likely to be actually happening. The Post Office buried that report as well.
And there is Paula Vennells. Vennells started at the Post Office in 2007 and became CEO in 2012. In her defense, the Horizon project and prosecutions started years before she even arrived at the Post Office, let alone became CEO. That said, during her tenure as CEO, prosecutions not only continued unabated, but she did her best to undermine any investigations into Horizon issues. In 2015, Vennells said before a House of Commons committee that the Post Office was a “business that genuinely cares about the people who work for us.” And if “there had been any miscarriages of justice, it would have been really important to me and the Post Office that we surfaced those… So far we have no evidence of that.” But the evidence was there. It was everywhere. Vennells was doing her best to ignore and hide it.
Back to the Royal Mail. When the Horizon project started, the Royal Mail was still owned by the British Government. The Royal Mail was spun off during Vennells’ tenure at CEO. As was reported by the BBC, Vennells considered it her job to minimize the scandal such that it would not impact that transaction. Sub-postmasters and justice be damned—there was money to be made!
Vennells is also an ordained Anglican priest and was a finalist to become Bishop of London in 2017. She was also on the Church of England’s Ethical Investment Advisory Group. Read that again for emphasis. This was at the same time she was the CEO of the Post Office and, as previously stated, continued to prosecute innocent sub-postmasters and torpedo meaningful inquiries into Horizon. She could have played the hero by acknowledging Horizon problems and offering redress; she chose to perpetuate the scandal. The chasm between her public piety and what she put into practice, while not unique in the modern business world, was still astonishing.
As a cherry-on-top for her efforts, Vennells received a Commander of the British Empire (CBE) award “for services to the Post Office and to charity” in 2019. Of the five classes of the Order (Knight Grand Cross, Knight Commander, Commander, Officer, and Member), the CBE is the 3rd highest. To put this in perspective, the Beatles got a mere MBE in 1965, which is the lowest. Buckingham Palace has some explaining to do.
Eventually Bates’ efforts wound up in a court case Bates & Others vs. Post Office Ltd. that started in 2017 and was decided in 2019. What Alan Bates and the other sub-postmasters did to push their cause was truly heroic, because it involved thousands and thousands of unpaid hours over 20+ years, while the Post Office spent many millions on doing everything in its power to stop the truth from coming out. It wasn’t just an Alan vs. Goliath situation, it was Alan vs. Goliath, Goliath’s Government, and Goliath’s Giant Legal Team.
The first set of convictions were only overturned in April 2021. The pace of justice was agonizingly and maddeningly slow and incomplete in terms of scope, but it was still some justice. It was a beginning, and this story is still developing. Vennells’ CBE was formally revoked in 2024 for “bringing the honours system into disrepute.” That was a nice touch, but cold comfort for lives ruined and lost. There are dozens and dozens from Fujitsu, the Post Office, and other organizations who should be fined and jailed for either lacking the moral courage to stand up and say something, or the ethical failure of repeatedly lying to protect the Post Office and defaming and prosecuting blameless sub-postmasters. The full list of those accountable needs to go back to the late 1990’s, as well, not just those recently in charge. That will probably never happen, as it will be too embarrassing for the British Government. But it should.
Lessons For The Software Community
Users suffer with new software systems in all sorts of ways—half-baked functionality, performance issues, and erratic uptime, to name a few. Those issues can be frustrating enough, but no user should ever suffer like this. The failures were implemented in software, but they were allowed to persist by humans. Among those humans were many technical professionals who should have known and done better.
References
- U.K. Post Office Scandal
- Wikipedia – U.K. Post Office ScandalPrivate Eye – 2020 Special Report on the U.K. Post Office ScandalBBC on the U.K. Post Office Scandal
- Related BLOG@CACM Posts
- The Perils of “Stay In Your Lane”
- Enterprise Metrics And Optimization
Doug Meil is a software architect in healthcare data management and analytics. He also founded the Cleveland Big Data Meetup in 2010. More of his BLOG@CACM posts can be found at https://www.linkedin.com/pulse/publications-doug-meil
When I wrote “The story is massive and deserves an entire book” above, I didn’t realize that somebody *had* already written a book on the subject. See “The Great Post Office Scandal” (2021) by Nick Wallis.