back to article Capita strikes again: Bug in UK-wide school info management system risks huge data breach

Capita has admitted a bug in an information management system used by 21,000 UK schools could have incorrectly linked contact details to the wrong pupils – an incident with huge implications for pupils' data protection. The error, which has been pinned on a December 2017 upgrade to the Schools Information Management System, …

  1. DJV Silver badge

    Crapita

    Testing - we've heard of it (possibly).

    1. cantankerous swineherd Silver badge

      Re: Crapita

      no need to test anything, matching on name alone was bound to fail. absolute muppetry.

    2. macjules Silver badge

      Re: Crapita

      Hey, at least they admit it now:

      Capita

      Educational

      Support

      Services

      Professional

      Infrastructure

      Team

      Do you really need them to actually spell it out?

    3. Anonymous Coward
      Anonymous Coward

      Re: Crapita

      I once spent six months working for them as a freelance tester - Government stuff. Unfortunately they had not budgeted for kit, so I spent two months scampering around to gather kit to build a test environment so I could get my team working.

      When we started failing applications Capita went ballistic, we were not supposed to actually test it, they had no slack in the budget for fixing defects. I was extremely pleased to reject the renewal.

  2. Anonymous Coward
    Anonymous Coward

    Capita: An exercise in rewarding failure again and again...

    All the wasted money lost to Capita has to be made up somehow.

    Govt / HMRC: Lets recoup it by screwing over indie contractors?

  3. }{amis}{ Silver badge
    Joke

    Kit check

    Flaming torches.. Check

    Pitch Forks ..... Check

    Rope..... Who forget the rope! no matter use the cat5

    Right off to the Capata offices for a chat we go.....

    1. wolfetone Silver badge

      Re: Kit check

      I was rather hoping we'd go to the Windchester instead?

      1. Prst. V.Jeltz Silver badge

        Re: Kit check

        yeah , just till it all blows over

        1. Kane Silver badge
          Thumb Up

          Re: Kit check

          How's that for a slice of fried gold?

      2. Lotaresco Silver badge

        Re: Kit check

        "I was rather hoping we'd go to the Windchester instead?"

        What, *The* Winchester?

  4. Anonymous Coward
    Anonymous Coward

    Bonus cheques?

    > system used by 21,000 UK schools could have incorrectly linked contact details to the wrong pupils

    I bet there won't be any 'incorrect linking' problems when comes to matching bonus cheques to Crapita executives at the end of the year.

    1. Terry 6 Silver badge

      Re: Bonus cheques?

      Or billing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bonus cheques?

        "Or billing."

        Nope, they are rubbish at sending out invoices or chasing for any sort of payment.

        They gobbled up a company which supported our Cisco Callmanager system, since then we have to ask them for invoices (They just don't send them, so we have saved thousands of pounds for the past few years).

        I am hoping they get dumped, since they can't sell anything either.

  5. Mycho Silver badge

    Their real business is taking the blame for government screwups.

    I thought I'd get that out there before someone asked the inevitable question which requires that answer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Their real business is taking the blame for government screwups.

      The screw-up in question was the government's decision to award a contract to Capita.

      1. Mycho Silver badge

        Re: Their real business is taking the blame for government screwups.

        Exactly my point. Even now you're letting Capita distract you from the arsehole politicians responsible for this mess.

        That, my friend, is what they get paid for.

  6. localzuk

    Gonna be one less school soon

    This is the final nail in the coffin for me - adding this to my push to move away from SIMS in our 6 schools. Capita just really don't seem competent in anything they do!

    1. Scroticus Canis Silver badge
      Holmes

      Re: Gonna be one less school soon

      "Capita just really don't seem competent in anything they do!"

      Oh I don't know, they do seem to excel at getting undeserved business from the government while screwing them for large amounts of money for shoddy products.

      1. John Smith 19 Gold badge
        Unhappy

        "they do seem to excel at getting undeserved business from the government "

        That's simply explained.

        A system costing £10m/ year to support needs a company that can support a £10m contract, right?

        Wrong. In HMG land if the system runs 10 years it needs a company that can support a £100m contract

        Why?

        Because we're the British Government, and we're special.

        Multiply all numbers by 10 or 100 and you see why only "Special" contractors (like Capita, Thales, and the other Usual Suspects) can possibly be considered for this.

        Bit like Carillion.

    2. Lee D Silver badge

      Re: Gonna be one less school soon

      Most MIS providers are no different.

      What are you moving to? I betcha I can point you in the direction of someone with similar/worse horror stories on whatever it is.

      1. paul-s

        Re: Gonna be one less school soon

        Other MIS providers are available - I'd take a look at the others that ex-SIMS users are flowing to, some stats here: http://bringmoredata.blogspot.com/

  7. Anonymous Coward
    Anonymous Coward

    (no names, no flaming pitchforks at dusk)

    I supported education networks for years, and SIMS was a constant problem child. They'd make simple changes with wide reaching consequences and not bother to tell anyone beforehand or specify them clearly in the release notes. In one memorable patch they shuffled lots of the codes used to classify absences, leaving us uncertain if students were away from school by arrangement or needed warning letters to be generated. It'd also hog resources and jam up when stressed... which happened every day at registration. Teachers would often take paper registers and fill in the details later to save time, often a few days worth in one sitting. You can see the issue with that...

    Forgive me for not being at all surprised by the cock-up, or their conservative estimate of the impact.

  8. John70

    Crapita can't even build a simple database just to hold pupil details and contact details of relatives?

    How do they keep getting these contracts?

    1. Prst. V.Jeltz Silver badge

      well , its not that simple - as you well know - schools often have hundreds, of pupils. Theres no database known to man can take that much data! some of the parents have double barreled names too, that dosent help

      1. John G Imrie Silver badge

        It's worse than that

        Some of these parents get divorced or even re married and change their names. And names aren't even unique, just how many children and wives does John Smith have?

      2. cantankerous swineherd Silver badge

        god help them when little bobby drop tables turns up.

      3. keithpeter
        Coat

        "...some of the parents have double barreled names too, that dosent help"

        Names can get tricky [1]. I always ask my adult students to write down what is on their passport/travel documents at enrollment so when they get their certificates at the end of the course there aren't any amusing issues when they go for jobs &c.

        [1] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/

        I hope whoever dropped the date-of-birth match does not work on further education college systems as well... ten to fifteen times as many enrollments often...

      4. keithpeter
        Coat

        names...

        "...some of the parents have double barreled names too, that dosent help"

        Names can get tricky [1]. I always ask my adult students to write down what is on their passport/travel documents at enrollment so when they get their certificates at the end of the course there aren't any amusing issues when they go for jobs &c.

        [1] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/

        I hope whoever dropped the date-of-birth match does not work on further education college systems as well... ten to fifteen times as many enrollments often...

    2. colinb

      good question

      It comes down to the commissioner needing scale and have no way to critically evaluate if they are any good and can deliver.

      Why they can't Google the trail of disasters i don't know but again most of the failures are kept well hidden.

      Take Amey for example, they have recently taken to doing council waste services but did not have any capacity to do food or garden waste.

      Still got the contract, guess what, there are a lot of maggot infested bins and uncollected garden waste.

      1. Mike Pellatt

        Re: good question

        Yeah. Amey. West Berks Council.

        You'd think people would have learnt and wouldn't outsource to them. They have form going back well over a decade. And some of us <cough> saw this coming

        https://www.european-services-strategy.org.uk/outsourcing-ppp-library/contract-and-privatisation-failures/west-berkshire-terminates-strategic-partnershi

    3. JohnMurray

      The SIMS software was what started Capita, as SIMS systems....years ago...you'd have thought they would have got it right by now...

      1. localzuk

        @JohnMurray - that's not really true. SIMS was developed by a teacher (Phil Neal), and then further developed by Bedfordshire County Council thing IIRC, which became SIMS Ltd, which was later bought by Capita.

        1. Anonymous Coward
          Anonymous Coward

          Pretty sure it was originally called NEMIS before it became SIMS and then bought by Crapita.

          I remember installing the floppy disks.

  9. TonyJ Silver badge

    That explains...

    ...why I've been getting notifications on the SIMS app on my phone that my son has had 100% attendance at school for the last few weeks...

    ...despite having left in June after his GCSE's.

    I hate the damn app with a passion. Prior to migrating to it, the school used SharePoint. Not everyone's cup of tea but the customisations meant that I could track a LOT of info from my son - from achievement (positive) or behaviour (negative) points, and why they were awarded to whether he was above, on, or below track for a given subject and so on.

    The SIMS app would tell me - well fuck all of any use basically. I'd get a popup on a Friday with a summary of his attendance from two weeks before...I could see if he'd had any of the above points but not in which subject or why etc. Nothing about progress.

    Basically a waste of space on my phone.

    So I do wonder who's kid has been in trouble for not attending the last few weeks :)

    1. 0laf Silver badge
      Childcatcher

      Re: That explains...

      That would be a breach of DP would it not? Retaining information on individuals beyond the time it is required?

      1. TonyJ Silver badge

        Re: That explains...

        You know apart from a bit of semi annoyed bemusement I hadn't given it any real thought but yeah you're right.

        1. Prst. V.Jeltz Silver badge

          Re: That explains...

          I guess a lot of Little Johnnies will be getting undeserved praise or punishment!

      2. Roland6 Silver badge

        Re: That explains...

        >That would be a breach of DP would it not?

        This would seem to be a breech of DP and GDPR, as it seems it is automatically linking the details of the new pupil Joe Smith with parent John Smith, to the pre-existing record of existing pupil Zoe Smith with parent John Smith.

        Interestingly, at both my children's junior and secondary schools, I had to explicitly link my two children's records together, which would seem to indicate they aren't SIMS users...

        1. billat29

          A real example: (names changed)

          Zoe Smith is the child of John Smith and Emily Williams but Emily is now living with Fred Wilson and had a child with him called Joe. Joe Wilson is the brother of Zoe Smith and he has Emily and John down as parents whereas Joe has Emily and Fred.

          Now Fred and Emily have Chloe living with them, Chloe is Fred's daughter with his former partner, Susan Jones and retained her mother's family name. However, Emily has parental responsibility for Chloe Jones and so she should be down on SIMS in that case. So should Susan as although Chloe is not living with her, she still is her mother.

          So. Zoe Smith; Joe WIlson and Chloe Jones are all siblings but different people living at different addresses need to see their records.

          If Emily comes into the school office and says that she has a court order that prevents John seeing Zoe how does that get recorded in SIMS? And does that prevent the school from sending information about Zoe's progress?

          So relationships are more complex than in my day so it easy to see that it can get screwed up. And in education software there are fixed release dates set around events in the school year so the pressure is on.

          However, there is this thing we have all heard about called testing...

          1. Primus Secundus Tertius Silver badge

            Re: A real example: (names changed)

            @Billat29

            Your example shows that some degree of abstraction is required in designing a data system to cope with it. But you don't get good abstract design by contracting out to the lowest bidder.

          2. Anonymous Coward
            Anonymous Coward

            Re: A real example: (names changed)

            Last time I solved an example like that, I ended up being offered a job by Google.

    2. Anonymous Coward
      Anonymous Coward

      Re: That explains...

      This is not linked to this issue, it will be caused by how the school are recording Y11 attendance.

    3. TheTigonCollection

      Re: That explains...

      Obviously, this will do Capita's battered reputation no favours.

      However, if you're talking of the SIMS Parent App, it is actually a good piece of software that provides almost real-time access for parents to attainment, progress, conduct, attendance, homework, timetables and more. Clearly, your experience was not a very good one, but I suspect this was down to inappropriate configuration, either of the underlying SIMS system or of the Parent App coupling. This requires considerable expertise and knowledge if parents are to get a good experience - the software certainly does not "just work" out of the box.

      But this is still not good news.

    4. Dan Watson

      Re: That explains...

      He would have been marked as on study leave. Which counts as ‘in attendance’, as he is where he is supposed to be.

      Otherwise you’d get fined for him being off!

      The app obviously doesn’t recognise the different codes.

  10. Anonymous Coward
    Anonymous Coward

    UK-wide?

    Actually really UK-wide, or just Englandshire?

    (Now, I'm not saying that reinventing the wheel 4 times is necessarily a good thing, but the education system in England is and always has been different from at least one other country in the UK.)

    1. Anonymous Coward
      Anonymous Coward

      Re: UK-wide?

      Yes, local authority managed schools in Scotland mostly (like 95%) use system called SEEMIS which is run by a strange entity which is both owned by and independent from the authorities.

      It's not without it issues either.

      Private schools in Scotland might well use SIMS but more likely Pearson Phoenix.

      1. Anonymous Coward
        Anonymous Coward

        Re: UK-wide?

        Possible being thick but that sounds like the answer is no. Scotland use a different (but also crap) system which is kind of publicy owned (bit like GPASS was for GPs till it was canned).

  11. Anonymous Coward
    Anonymous Coward

    Which bright spark decided not to use a unique ID including the date of birth? Why are we outsourcing to Crapita? Can someone explain it to me?

    1. TonyJ Silver badge

      "...Why are we outsourcing to Crapita? Can someone explain it to me?.."

      Because it works out cheaper in the long run

      Because Capita have such an outstanding record of delivering robust solutions on time, under budget and that perform exactly as required

      Oh yeah - because it lines the pockets of various ministers with their pudgy fingers in the pies of these companies?

      1. TheTigonCollection

        Capita are, of course, big beneficiaries of outsourcing. But SIMS, the MIS in question, is not an outsourced product. It was already the dominant school MIS in England when SIMS (the product and the English company behind it), was bought by Capita, many years ago. Schools are not forced by Government or Ministers to by any particular MIS. However, as more and more schools are absorbed into multi-academy trusts (a trend where there *is* a strong whiff of political leverage being applied), we are seeing those MATs impose a chosen MIS - maybe SIMS, maybe others - onto their schools.

    2. Mycho Silver badge

      See above. They're running this the way the government would run it if they had the choice, but when it goes wrong the government get to say it's not their fault.

      Worth every penny if you're the MP whose salary is on the line.

  12. Salestard

    Three words

    "How do they keep getting these contracts?"

    "Why are we outsourcing to Crapita? Can someone explain it to me?"

    Three words - Lowest Economic Bid

    Not helped by the marvellous tangle of budgets from LEAs, Central Gov, and lord knows what else. I understand in some instance it is only Capita that bids for these things.

    Always the cheapest

    Consequently, always the worst.

    1. localzuk

      Re: Three words

      That's the thing though with SIMS - it is by no means cheap. In fact its about the second most expensive on the market.

      The reason schools keep using it is that moving is a massive job and "everyone is used to SIMS". It takes a *lot* to convince management that changing how things are done would be a good thing.

  13. sal II

    Isolated, limited, rare

    Ahh I love the smell of a BS apologetic statement

  14. Prst. V.Jeltz Silver badge

    I think I know what happened here ....

    https://xkcd.com/327/

    Yes, its that one , you dont even have to follow the link do you .....

    1. GrapeBunch Bronze badge

      @Jeltz : poetry to my ears.

      "I hope you've learned to [...] sanitize your database inputs."

      If the schoolish think in analogy, it would be: "... know which part of the sentence is the Subject, and which part the Predicate."

  15. Dr Scrum Master
    Headmaster

    SIMS

    I'll be returning to Blighty with the little ones so wondered what this SIMS thing is.

    I took a look at the website and was greeted with this display of poor educational standards:

    "More than 21,000 schools trust SIMS everyday"

    1. Doctor Syntax Silver badge

      Re: SIMS

      "More than 21,000 schools trust SIMS everyday"

      This will have been written by marketing. You simply follow the rule of always negating the word "trust" in relation to marketing, then it makes sense.

    2. David 18

      Re: SIMS

      "More than 21,000 schools trust SIMS everyday"

      I suspect significantly fewer than 21,000 trust it each of these last few days.

  16. nuked
    Facepalm

    Matching on name & gender, and then automatically updating a record? Wtf is this, seriously.

    1. sal II

      Crapita SOP

    2. MrXavia
      Mushroom

      And clearly no backups or change history or rollback plan!

  17. Data Mangler

    Spare a thought for the data managers.

    While hurling well-deserved brickbats at Crapita, spare a thought for the poor sods who are going to have to sort this mess out: the schools' data managers. These downtrodden individuals have to work with SIMS (or equally appalling products like CMIS) all the time. As non-teaching staff they are treated as being the lowest of the low and, usually being term time plus some holiday working, get paid three-fifths of damn-all with pensions to match.

    Summer holidays? Forget it. School management will leave it until the last moment to tell you about the assessment scheme they want you to implement for next year, so what with that and exam results analysis it leaves precious little time to squeeze in a vacation.

    Some will even be forced to produce the school timetable using Nova T6, a package so evil that 'user hostile' doesn't come close to doing it justice.

    Couple all of this with execrable software from practically all suppliers to schools, dealing with teaching staff who have all the IT skills of a small piece of putty, laughable local authority support and lies from Capita and you'll get some idea of how happy I am to be retired.

    1. TheTigonCollection

      Re: Spare a thought for the data managers.

      I agree with with much of what you say, but 'laughable local authority support' depends on who your local authority is/was - it's wrong to generalise because there are many good, dedicated teams out there. Our LA team works damned hard, damned long hours, for damned little money ('gold-plated pensions' - hah!) and does a damned good job in advising and supporting schools, especially when it hits the fan like this.

  18. Marketing Hack Silver badge

    Personally, I think Britain should be happy they have Capita

    That national comedy-relief they provide would otherwise require the purchase of a millions of tickets and 2-drink minimums at comedy clubs around the UK.

  19. Walter Bishop Silver badge
    Facepalm

    Pupil linked to wrong records.

    If you have imported a CTF for pupils joining your school, that included parents or other contacts with a name that matched exactly to a contact record already in your database, the applicant may have been linked incorrectly to this person and some data may have changed.”

    Have Capita ever considered indexing the Pupils on a unique record id and checking for duplicates. Or whatever indian intern they 'hired' on to write the software.

    SIMS (School Information Management System)

    1. Data Mangler

      Re: Pupil linked to wrong records.

      They already do that, but this is not the problem in this case. The issue is who the parents are. For some children, of course, this is not just a software question.

  20. Giovani Tapini
    Mushroom

    What annoys me

    Is the pathetic response attempting to downplay the issue claiming low numbers of incidents reported.

    What's that got to do with it? Wait until they get 21000 tickets before it's worth fixing? Grrr

  21. Multivac

    Crapita

    Bunch of badly treated employees working for a company they despise managed my career managers who have no idea and directors who cream of any cash they can. And people wonder how this could affect the quality of their work!

  22. herman Silver badge
    Black Helicopters

    Oops...

    Matching children with the wrong parents must be a feature used by the US ICE.

  23. Richard 12 Silver badge

    Some interesting questions, this raises.

    The data controller is liable under the GDPR. However Capita are not the data controller.

    What legal recourse does the data controller have against a supplier who wilfully or by gross misconduct causes the controller to breach the law?

    Futhermore, as the data controller is not able to control the SIMS in any way - they cannot choose not to use Capita and SIMS - how can they ensure compliance?

    Then there's the sanction. What is a school's revenue? Or is it the LEA?

    Simpler and better to just fine Capita 4% of their annual revenue 21000 times.

    1. Anonymous Coward
      Anonymous Coward

      Re: Some interesting questions, this raises.

      But in this case Capita are the data processor so likely to be the liable party. Since the data controller didn't, presumably, ask them to screw up then it is the processor who is the more liable party (as I understand it). This risk of penalty to Data Processors is one of the changes that GDPR brought in.

      1. Richard 12 Silver badge

        Re: Some interesting questions, this raises.

        I really, really hope they do.

        I fear that the ICO won't.

  24. Richard Rae

    There's an opportunaty here

    for our dear government to recup some of the monies they have given Capita. GDPR.....

  25. Twitchy

    UPNs?

    What ever happened to UPNs? As already stated, a check against name, address, post code and DOB won't result in unique or matched result. But pupils are assigned UPN and ULN in school which follow them through their educational life. Since they are generated with an algorithm and have validation rules against errors... Why not use these?

  26. PeterM42
    Facepalm

    As my son would put it....

    ......schoolboy programming error.

  27. David 18

    Access?

    I bet what really happened is they just ran the Access upsizing wizard on it.

    Actually no, that's not funny, you could probably cobble together a better database in Access!

  28. Anonymous Coward
    Anonymous Coward

    Doesn't surprise me

    I used to work for Crapita, running a large SaaS app focussed at certain market segments (not saying which for anonymity reasons). The app predates Capita acquiring the company I worked for, it wasn't developed in house by them.

    Anyway, in my tenure there (more than 5 years, less than 10), we had one outage of around 50 minutes, and that was due to a bug in a third party subsystem we were using.

    I've just chatted to an old colleague and had a look at their uptime page, they're now seeing 1 extended outage PER MONTH on the service - they've not upgraded the hardware (or refreshed old hardware), buggy releases going out as most of the original development team have left and they insist on paying new developers peanuts, so only get ones who aren't used to running a huge distributed system. It's an utter shambles.

    Utterly dysfunctional company.

  29. Anonymous Coward
    Anonymous Coward

    Anyone else somewhat worried that the DCC who will be running the smart meter network is ... a wholly owned subsidiary of Crapita?

    No wonder it's late and barely functioning ...

  30. Anonymous Coward
    Anonymous Coward

    How Much longer

    Why are we supporting rubbish there are better MIS out there which some schools have been using for a while and find it better. Also why are we propping up a company Capita that if it was not so tied in with the government would have gone bust after its stock warnings... Councils need to stop insisting on SIMS and let schools choose and stop putting money into a company that will never change.

  31. Martin Milan

    Tell someone?

    They haven't done anything too obvious like actually telling their customers about this though...

    I am a school governor - first my school heard of it was when I called them 5 minutes ago...

    Martin

  32. Haven't we seen it all before

    This was first highlighted to them last year when they had done the same thing and parents and children had got linked incorrectly , will they ever learn ?

    Where is the gov contract team to sort these tried and failed companies out (not just Crapita)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019