CoRecursive: Coding Stories - Story: Risk Rolls Downhill - The Software Bug That Sent People to Prison
Episode Date: October 2, 2025What if a software bug drained your savings, ruined your reputation, and nobody believed it wasn’t your fault? Scott Darlington took over a village post office, hoping to give his family a steady ...life. But the software system kept showing cash shortfalls he couldn’t explain. Each time, the Post Office told him the numbers were right and made him pay the difference out of his own pocket. Eventually it became too much and actions Scott took to protect himself lead to his arrest and public shaming. How do you build trust in systems when the people behind them refuse to admit they’re broken?
Transcript
Discussion (0)
Hi, this is Co-Recursive and I'm Adam Gordon-Bell.
Each episode is usually about a piece of software being built.
Have you ever had a computer tell you you're wrong?
Insist that you're wrong, even when you know you're right.
Maybe you try to log in and it says your password's wrong or your payment gets declined for no reason.
I had this with a bank whose reset password button truncated the password before hashing it.
Or so I later found out when I wasn't able to log in because the payment.
the login form didn't do the same trumcation. But these things happen, right? Your payment gets
declined for no reason. It's frustrating, but you call support, they figure it out. Or you reset your
password again, you move on. But what if you couldn't fix it? What if the computer had the final say
and everyone else, your boss, your bank, the courts, the government, everyone took the computer
side over yours? That's exactly what happened to today's guest, Scott Darlington.
If you build software, or even if you don't, I think that you know the bugs happen.
But what happens if the systems we build end up being trusted more than the people using them?
And if you build software, and that happens, where does your responsibility lie?
This story is about what it looks like in real life when software hurts somebody
and the people in charge and the people building it aren't listening.
so can you tell me your name and how would you describe yourself in 30 seconds
my name is scott darlington i'm english born in macklesfield south manchester and a county
of cheshire oh how do i describe myself um i've always been optimistic happy-go-lucky musical type
person with ambitions and stuff like that um until they came across the dreadful
decision to take over a post office, you know.
Taking over a post office might sound like a strange move.
But Scott had thought it through.
He had always wanted to be a musician, but now he had a young daughter and running a
business felt like a way to channel his ambitions and give his family some stability.
Here's how Scott saw it.
He could become a sub postmaster.
He'd be the guy who ran the village post office.
And to make that happen, he'd borrow against his house.
He'd pull some cash from his mom selling her vending machine.
business and that would be just enough to buy the shop. If enough people came and went each day,
he'd have steady work and a steady income and a business that he actually owned. It could be
something that he could do for decades. But before he could make that decision, he did some homework.
He spent days just watching that post office. He'd park across the street, notebook in hand,
and he'd count. He'd count the people coming in, he'd count the people going out, he'd count the cars
pulling up and the customers with letters or parcels or pension slips. He wasn't casing the place,
Like, I guess he sort of was.
He was casing it to determine if it was a good business.
He was trying to see if this could really be his future.
Scott was an optimist, and to him, this felt like it could be a fresh start.
It could be a place where people didn't just buy stamps and send parcels, right?
They'd pick up greeting cards.
They'd buy little gifts.
They'd buy little knickknacks.
Sitting in his car and counting these customers, it looked like this could be a safe bed.
Because buying the post office wasn't like picking stocks in the stock market or putting money in a retirement fund.
it was more like buying a job for himself,
a job that he could actually look forward to
and a job with the future that he could count on
and that he'd be excited about.
Think of it like a franchise.
Scott runs the business, he leases the office space,
he can work to counter himself or he can hire staff,
and he gets a cut from the post office,
and he also gets money from the things he sells in the store.
So after the numbers checked out and the foot traffic looks steady,
Scott felt that rush of excitement that you feel
when a project is starting,
and everything is in front of you.
He took all his savings and he signed the lease.
And just like that, he became a postmaster,
specifically a sub-postmaster.
He was in charge of a village post office
that centuries-old trusted institution
through which wages were paid and pensions were drawn
and news of every sort and gossip traveled through a small community.
But of course, Scott couldn't see what was coming for him.
It was waiting behind the counter inside a beige computer box.
It was the software called Horizon.
Well, even during the training, which was in this like training place, nobody could understand the software too well. It was very clunky. It was Windows NT, which even in 2005 was old. I think it was discontinued in about 1996, I think. I might be wrong with that. But they had a special contract with Microsoft just for them to keep the Horizon software, you know, updated and things like that. Because that software was totally voice.
by then. So they had a special contract just with them paying them a fortune just for Microsoft
to keep updating it because the cost of replacing it all would have been so high. This is one of the
reasons why we ended up in the situation we did really, because it generally worked, it generally
worked, but it was when it went wrong how they dealt with it and this was the problem. Generally
worked is a red flag, especially in financial software. To see why even a tiny glitch mattered,
you need to see how money actually moves through these village post office.
Running a post office wasn't just about selling stamps, right?
The post office was the village's front desk, kind of acting like a bank for a lot of things.
There was pensions being paid out in cash.
There was bill payments, there were deposits.
There was just standard parcel stuff.
But in a typical week, 100 to 150,000 pounds moved across that counter.
That's like 200,000 USD.
Most of that money wasn't scots.
It belonged to the post office or the pensioners.
Every transaction paid him a fee, and that's what made the business viable.
Also, that foot traffic just lifted up the shop.
People coming through would buy greeting cards or snacks or magazines.
Yeah, it did really.
I mean, the amounts of transactions that were taking place every day in the post office,
it was phenomenal, really, way beyond what I was expecting.
I'd really bitten off something more than I wanted to,
but I actually got in there and started working, doing this.
So you're always just going to get a little, giving someone the wrong,
change or typing something into the system, a 10p out or something like that, because of the
thousands of transactions you're doing every week. It would be surprising for it to actually be
absolutely perfect the cash situation. So it was going to be a very, very small part out.
By month end, Horizon demanded a perfect balance. I had a discrepancy from the previous owner
that I had to pay, that I had to pay. And I tried to chase him up for this money, but of course
it never had to pay about £600 of his debt
I'd only been in there about a week
so that was not a great start
but anyway in 2008 suddenly the system said I was
1750 pounds out
Scott was used to the system being off by a few pennies here and there
but this time the numbers were way off
this was something else entirely
and it said that I had stamps to that value in the post office
more than I'd actually got
Scott didn't have the first class stamps the system claimed he did
but mistakes happen right he figured that maybe it would sort itself out
maybe in a different day it would go the other way
the way the system works
you come to the end of like a financial period which is
which is every month and you have to the system has to be set
so it's exact so it can cut off that period and start a new period
but it's what's known in their parlance is a system
rolls over to a new period but it can't do
until any discrepancies are resolved.
And you can't just say, oh, I'll resolve it, you know, because they'll want the cash.
Scott contacted the higher-ups.
He contacted the support line, but basically he couldn't open the store next day
and start doing transactions if he didn't close the month.
And if you couldn't do transactions, he wouldn't have enough to cover his lease or cover payroll.
And so he said he was out 1750, and he tried to tell them that it was a mistake.
But what they said was, well, the system says that you owe us 1750.
so we can take it out of your pay
either in one payment or two.
So I had to pay it.
And that was when the alarm bells are ringing,
you know, like, what the hell?
What was I to say something else is out?
I've just got to pay that, you know.
And you're dealing with such high-value stuff
it can soon get way out of hand, or less.
The whole risk is on me here
because of what this computer is saying, you know.
And we knew it wasn't right,
but we'd have no problems before, proper problems.
So it was very difficult to blame the system straight away.
wait, we just wondered what the hell had gone wrong.
You know, how could this have actually happened?
This was a financial setback, and it was terrifying.
Scott made only a tiny profit on each transaction,
so even small mistakes like this could easily ruin them.
And because of that, anxiety started to creep in.
And do you remember the financial crash of 2008?
That had a big impact on us and everything.
There was people queuing up down the streets,
some people paying millions of pounds into post office accounts.
I don't know what it's like in Toronto, but in the UK, the UK only guarantee £85,000 per account
in the event of a bank going bust or anything like that.
So this is no good to the millionaires that lived all around me.
So they realised that they got to know very quickly that the post office,
which fronted up accounts for the Bank of Ireland, guarantee the total amount.
So they were just shifting all the money into that,
and there was millions of pounds coming over the counter now.
And we'd already have this discrepancy, you know, like, oh my God, what's going to happen with this?
One day, Scott found himself £4,000 short.
And if he told the post office, he knew exactly what they would say.
I couldn't really tell the post office about it because I knew they'd just immediately take the money.
And when you're in a small business like that, you're not in the position.
You're just being loads of money out that have seemingly just disappeared.
You know what I mean?
You're just not in that financial position.
things can start going wrong. You've got wages to pay, you know, bills to pay. And this money is
something you haven't done, if you sort of mean, they just take it off yet. You had to, you basically
had to adjust the system to say that that money was now in, as if I'd put the cash in. But actually,
I'm harboring a £4,000 discrepancy net. You had $4,000 more, or £4,000 more in cash than you
actually had. That's right. So, which meant the system could roll over,
thinking that that four thousand pounds is in, but it's not. And I'm hoping corrections are
going to come to correct any mistakes we made even though are new. We haven't really made any
mistakes like this. He's just hoping upon hope that something's going to come down the line
to help out. Scott's stock, right? If he admits he's short, he has to pay up and then he won't
have enough left for staff for rent. But if he claims the money's there when it isn't, then
he's just betting, he's just hoping that tomorrow the numbers will magically fix themselves.
somehow. Maybe someone somewhere will spot the and things will just set themselves right. Maybe
he just needs a little time. He needs to stall. Or maybe there's another way. Maybe Scott can
cover this himself over time. Skip a little bit from his pay each time, take on some personal
debt, pay suppliers late, and eventually that 4,000 pounds will even out. But if the post office
needs their money right away, that's a whole different problem. So he lies, right? So he says he has
the money. He'll figure it out later, but then there's another day, and suddenly now he's out
9,000 pounds. And then the next day, it's even more than that. And it keeps piling up day after
day until before he knows it, he's 44,000 pounds short. All of a sudden, you just total stress,
you know, total stress and anxiety, because I know that I'm in trouble as well. And not just financial
trouble, but I know that I'm going to be in trouble at some point. Whether I lose my
contract, even if a load of auditors arrive and see the problem, I'll still lose my contract
for dealing with it like that. I don't know. It feels like you should be able to file a support
ticket or something and be like, hey, there's not money here or I don't know. Like there was
no recourse that you could take somehow? No, there was nothing. The contracts said were reliable
and that was it. They knew that that, they'd go to court on that. And they did go to court on that.
Scott kept the store running
even though he owed the post office more money than he could ever pay back
and still keep the business afloat, he kept it running
because the fallout hadn't hit yet.
On paper, he was holding 44,000 pounds for the post office that was theirs.
But for now, no one was asking for it.
And so he was okay.
What happens in this sort of cash situation like this,
you end up with too much cash in,
and you need to take, get some out,
and you get cash vans to come and collect it
take it to cash centres
and that because you end up stuffed with cash
and it's not very good
for security, it's not very practical
to have so much cash
so I always used
to keep the sort of amount in this post office
about 80,000 in cash because you have
pensions to pay, surprising how much
it's paid out from this.
Suddenly I'm 44,000
out now and my system
came up with an amount that it wanted me
to remit out to bring the
amount held in the
office down to a sensible level and I couldn't do it.
It would mean I'd have about
10,000 left in the post office and they'd be able
to operate like that.
So I ignored it. I ignored this
request and two days later
one of their auditors, auditors
arrived to
find out why. So
that was when the axe fell down
but I was pleased that the auditor was there because I thought
well I don't have to hide anything anymore
surely now, I'll probably lose my contract
but surely now
all the any errors that have happened in my branch will come to light but they never did the
slightest bit of investigation they just immediately started prosecution proceedings you know
how they operated did you try to explain like to the auditor like how did that go down yeah they
just they just didn't believe you they just presumed you've nicked it you know they just
presumed you've stolen it so um they didn't listen to any explanations or as far as they were
concerned you spent it you know you've had this money you've where you've
squirreled it away, you know, what'd be done with it.
They came to search my house to see if there's rather nice things suddenly appeared in my house,
like a nice new car outside or something like that.
Fortunately for me, there wasn't, you know.
But there was very little, actually, in my house at the time, which did have mitigating
the effect, I think, because I think they were surprised at how little there was in my house.
I had a computer system and a big beanbag at that time.
I didn't have any furniture or anything just at that particular time.
I think that helped slightly, but anyway, the prosecution proceedings with the norm.
How did they search your house? Like, they're not, they're not the police.
All incredibly, in the UK, there's three different bodies that have got this power
of prosecution and everything. In other words, they don't need to use what we have as the
Crown Prosecution Service. Because what happens is the police gather evidence. They give it
to the Crown Prosecution Service, they decide whether there's a case, and then it goes to court
or not, you don't like that.
But some people can usurp the Crown Constitution Service
and take you straight to court.
Ministry of Defence, Her Majesty's Taxes, HMRC, of course, the police and everything,
and some incredible ancient law, old Elizabethan law, Royal Mail.
I've also got this power as well.
I think it was because way back in 1690 or something,
people carrying valuables around for other people and stuff like,
that were targets, so they ended up at, they had their own like, not police force, but security
people. It's kind of gone on from there and they've still got their own security for old squad.
Police with powers, not quite the same as the police, but enough to take me straight to court.
There was no way out. The auditors and prosecutors from London had already made up their
minds. Some postmasters like Scott, they probably couldn't be trusted. Why would someone take
on a job like this? Handling all that money if they weren't trying to skim a little off the top
so they could gamble or worse.
In their eyes, Scott was just another criminal,
hiding in plain sight, a bad egg in the system.
And prosecution was the only way forward.
Yeah, well, I got charged with five counts of false accounting.
That was changing the figures five times in a row, basically.
And they were going to be deemed for theft as well.
Even though there was no evidence of theft,
and we actually had a memo on post office-headed no paper,
saying, after their exhaustive investigations,
we find no evidence of theft.
Yeah, they were still going to try and prosecute me for that, you know.
I went to Chester Crown Court, handcuffs, everything, you know.
So there we go.
The story is so, like, unfortunate that I feel like I just need to say it out loud.
Scott put everything on the line.
He used his savings, his mom's inheritance, that she got from selling her business,
and he even took a mortgage on his house all to invest in this business,
which is just something people do to.
start a business, fair enough, but now he's in handcuffs. And he thought maybe the court would sort
things out for him, but in reality, he was up against one of the oldest and most powerful institutions
in the UK. The odds were stacked against them. They had their own prosecution branch. And from here,
things only got worse. I get it. I'd be hopeful. If I were Scott, I'd probably think,
you know, what's the worst that could happen? Maybe I'll have to sell the store, but at least I can
move on from this nightmare. I thought this was going to be my job, but now I just want to get out
of it. But in fact, it didn't work out that way. It got much, much worse. But what had just happened?
Where was this money actually going? Let's start with the stamps, the first big blow that Scott took.
Imagine it's 2008. It's the end of the day. The receipt printer is still warm. There's a line of rubber
bands on the counter from where Scott's been bundling up the stamps. This is the end-of-day tidy-up time.
count out the stamps in the drawer, tell the computer what you got, make sure all the numbers all
line up. On the screen, it's a simple form, you know, the amount of stamps in, he scans the tray,
he taps enter, the screen hesitates, maybe the computer freezes, maybe it does that sometimes.
So he hits enter again because that's just what you do. But here's what I think happened.
The system would freeze, and then it would repeat, it would play back your key presses.
So that one stock in entry turns into two. The screen didn't warn him, the screen was frozen.
It just added another batch of stamps to his ledger.
So that means in the drawer, there's what he actually unpacked.
There's today's stamps, but in the computer, there's today's twice.
What that means is, night's close or the next day, they think he's holding more stamps than he does.
More than physically exist.
It's not missing cash, exactly.
It's just ghost stamps that the system insists should be there or the money for them.
And that's how you wake up owning 1750 in stamps that you've never seen.
It's not that Scott skimmed anything, it's because the counter said hit enter and he hit it,
and the screen hiccoughed and the software created a version of the world that didn't actually exist.
Now, those bigger discrepancies, I have some theories too for how they could start.
It's the same type of glitch just on a larger scale.
If a builder brings in 2,500 pounds and Scott enters it in and the cursor hesitates so he hits enter again,
it's a busy store, he's got to move on.
One real deposit now becomes two entries.
And then an hour later, a cafe owner comes in with $1,500 to deposit, same pause, same double enter.
And no one would notice this in the rush, the cash is there, it's counted, and it's real.
But at closing, it says that there's 4,000 pounds more cash in than is actually in the drawer.
It's just two ghost deposits, right?
It's not theft.
It's just buggy software.
It's not innovative.
There's a system of checks and balances that should be in place.
But the reason things failed here has to do with how this software.
was built. In the 90s, the UK government set out to modernize every post office counter.
They wanted to get rid of old paper benefit books, and they wanted to switch to a card
system. So they bought in this company called ICL pathway to handle both jobs. They're going to put
a computerized point of sale system in every branch in every post office store, and they're
going to move all their benefits payments online. There's two pieces to the system, the post office
and the benefits, the benefits part gets cut.
The whole thing doesn't go well.
There's delays, there's fights over cost, there's changing requirements.
But somehow the counter system survives.
And that's the system that's running Windows NT at Scott's office.
The project is seen as a huge failure, but they can save this post office part and maybe
things will be better.
Newspapers write up stories about all the wasted money of this project, but it still
rolls out and even without the benefit cards, putting computers on every counter still feels like
progress. It sounds like a sunk cost problem. They put all this money into this failed project and
surely they can save some of it by rolling out the small piece of it. And because this was built in the
90s, you know, it has dial-up modems and it has unreliable connections and thousands of tiny shops
that need to communicate to home base. So the system was built offline first. Every branch got their
Windows and T-box, and it was hooked up to scales, and a barcode scanner, and a receipt printer,
and a messaging layer that was called repost. So if the network went down, you could still serve
customers. Transactions just queued up locally, and then when the internet was back, the data was
synced. For the time, that was a smart trade-off, the internet was not reliable, but it is a
trade-off. When you have this sort of store and forward system, your truth comes from a pile of
queued messages on various machines, and they can get delayed, and they can get retried, and they can,
get replayed. These are just the problems of a distributed system. Most days, everything works
fine and the ledger looks clean, but every so often, maybe it doesn't work out. Most days, you never
notice any of this. You sell stamps, you pay out pensions, you take deposits, the cash drawer has the
money in it, the terminal has its numbers, and at the end of the day, those two sets of records
are supposed to match up. But when they don't, when you're left staring at two realities,
what's in the tilt and what's in the screen, how do you reconcile that? You might think,
like Scott did, but the numbers have to balance out eventually. If a deposit got doubled somewhere,
someone should end up with twice the money in their account and that should be flagged. There should
be discrepancies that show up somewhere. Double entry accounting is supposed to catch these
things. You can't actually just create money out of nowhere. But I actually looked into this.
While the ledger system that tracked what Scott made and owed each day was offline first, the
banking transactions were live in real time. There were real time communications with the bank.
So it's very possible that money was deposited once, but because of a double press or because
of a network hiccup, there was two records in Scott's system for it. And somewhere, these numbers
must get reconciled. The money transferred into somebody's account, you know, should line up
with these aggregate of data across all these post offices. So in fact, somewhere it should all
shake out and even out, but not in any place or on any timeline that actually helps Scott.
Most days the software worked fine, but there, it turns out, were plenty of known bugs.
Enough to cause real mistakes, and behind the scenes, people at Fujitsu were scrambling to keep
things running. They were patching issues, they were finding ways to update the ledger,
forcing the numbers to add up and be correct. But Scott didn't know any of that. All he saw
was the computer telling him that he should have money that he did not in fact have. And then the
auditors seeing the same numbers and jumping to their own conclusions, hey, here's a small town guy
who's stealing from us. Let's make an example of him. If you're from the UK, you might have
heard parts of the story before. Maybe not about Scott, but about the 13 postmasters who took
their own lives after facing similar accusation. Scott didn't take that way out, but his life was
definitely turned upside down by all of this, and we'll get into that. But what about the software
itself and the people who maintain it? How could an organization that took this failed software
project and push it out and was constantly fighting bugs and drowning in errors, turn around
and aggressively prosecute people who were affected by those bugs. Let's rewind. After Horizon
was created, but before it got Scott put into handcuffs, before it got him splashed across
papers as a thief, the company who created it was acquired by Fujitsu. And so Fujitsu held the
maintenance contract for the software. Scott had no idea, but Fujitsu engineers,
had already had a name for a bug that seemed a lot like the one that was draining his account.
They called it Calendar Square after a Falkirk shopping center where they first spotted it.
In September 15, 2005, a subpostmaster at the Calendar Square post office tried to move stock
from one counter to the safe, but the transaction just seemingly disappeared.
Wanting the books to balance, he tried it again.
But what he didn't know is horizons were post messaging layer had frozen.
It had a message time out waiting for lock.
And when the terminal was restarted, when the lock was finally cleared, it replayed that
queued message.
Suddenly both versions of the transfer showed up.
Two transfers in for a single transfer out.
In double entry bookkeeping, which I'll touch on at some point, for every transaction there
is both an in and an outside.
And this is a careful check on things.
But on paper, this branch suddenly had a surplus in one account without a matching short
fault in the other. And because of that, the operator, the sub postmaster was on the hook to
repay the difference. Fujitsu logged this failure as peak PC126042. And a few days later, it
happened again, and then it was given a different number. And both incidents landed in their
internal error logs. So they put the incidents in their known error logs. And they gave advice to the
support people at the post office. If somebody reports this problem, tell them to reboot the machine
and whatever they do, don't enter it again.
Internal emails at Fujitsu admitted that this lockbug
have been showing up at a number of sites most weeks,
going back as far as 2000.
But the subpostmasters were never warned.
Fujitsu just kept the known error log to themselves.
So if this is what happened to Scott
and if he managed to reach the post office
before a restart or whatever occurred to get the double posting,
the staff there wouldn't necessarily know what to tell him.
But it's wild that the folks running the horizon system
already knew this bug inside and out by the time it happened to him.
But for the actual sub-postmasters dealing with this,
they were kept totally in the dark.
And that was just one of the issues, right?
There was another one called the Remming Out problem,
reming out being short for remitting out the end of the day routine
where you've got too much cash on hand
and you seal the extra money in pouches,
log it into the system, and then a van comes and picks it up.
Basically, you're moving money from cash on premises to cash on transit, right?
you don't want too much around so that you don't get robbed. You can imagine an end of day,
Scott, on a busy pension day. He has too much cash in hand, so he follows the routine. He prepares
these pouches, each have 10,000 pounds in them in 20 notes. Each bag gets sealed and has a barcode
on it, and in Horizon, he's supposed to enter that he has this 10,000 pound bag, and then he has
the second 10,000 pound bag, and it should subtract 20,000 pounds from the branch's holding.
and add $20,000 to the pouches ready for collection.
But this reming out bug, which sounds really bad,
if you did two bags and they had the same amount in them,
Horizon only subtracted the first one from the branch's holdings,
even though both bags showed up going into the van.
In other words, the van would get their $20,000,
but the branch would say it had only taken out $10,000.
When people talk about balancing the books,
this is what they're talking about.
Both sides need to match.
You can't take out 10,000 here and deposit 20,000 over there.
It doesn't make any sense, but that was the bug.
Both bags left the branch.
Both were in the van, but the system acted like only one had gone.
And so on paper, it looked like at the end of the day,
there was 10,000 pounds of cash missing.
It's like the ghost stamps, only this time the numbers are much bigger.
Yeah, that's the reason double entry accounting exists.
Every transaction gets recorded twice, once as a debit in one account,
and once is a credit in another, and those two need to balance.
If they don't, you've either created or destroyed money out of thin air.
And this isn't a new idea, right?
The idea of recording everything twice goes back to Merchants in Renaissance Italy.
In the 1400s, they were using double-entry bookkeeping.
If you've ever written code, double-entry accounting might feel familiar, right?
It's basically a 15th century version of like a two-phase commit.
You can't close the books until both sides acknowledge the change has happened.
If you have like two physical machines separated on a network and you're taking something from one
and moving it to the other, both sides need to confirm that they've gotten that change or it didn't
actually happen. If one side never acknowledges or if things just hang, then it doesn't count.
It's also kind of like test-driven development, right? Every code change needs a matching test.
One side needs to match the other. If the logic in the test or the logic in the code you added is incorrect,
something will fail. And that's a sign you need to figure out what's going on.
There's so many metaphors for this, the other way to think of it is like a check sum, right?
If a check sum doesn't pass, then the data's corrupted.
But really, the system should not allow you to have a debit in one account that doesn't match a credit in another.
It's just a simple integrity check.
And instead of investigating and blaming the system for breaking basic accounting rules,
somehow the finger gets pointed back at the subpostmaster.
That's the reming out bug.
And in February 2007, Fujitsu reviewed this bug.
and they found internal notes showing 49 branches were hit in that month.
And maybe because this one is obvious and doesn't balance,
they did remotely access some of these branches machines
and try to fix up the ledger entries.
We don't know if Scott's branch was one of them.
We don't know if this was the bug he hit.
The details just aren't available.
What we know is that in some cases,
Fujitsu was working behind the scenes to try to correct these errors
without telling the contractors like Scott
or even telling the post office itself what was going on.
And there was so many bugs like this.
There was an earlier bug from May 2005 called the Kel G. Maxwell 385P.
All we know but that bug is it says possible bug in countercode.
But they were never able to pin down what happened.
There was never a change.
We don't know which post offices were affected and we don't know what the fallout is.
Because we're piecing this together after the fact.
And there were plenty of other issues.
and honestly we'll never know what really happened to Scott,
because no one bothered to look.
The problem was there's so many layers.
There was the software company doing the maintenance fixes.
They built the software.
They don't want to talk about bugs.
There's the support people at the post office,
and they're overwhelmed.
And that's why the first time the numbers didn't add up,
Scott did what anyone would do.
He called for help.
And he gets the cue music,
and then he gets a unsympathetic support worker
who's working through a script.
Check the till, recount the stamps,
maybe power cycle things?
Have you tried closing the session and then reopening it?
It's hard to say whether the agent is even really listening or just working through a script.
But one thing's for certain, right?
He reminds Scott, the contract says that the branch must balance to roll forward.
If Scott can't fix it, the difference comes out of his pay.
It's in your contract, sir.
You can spread it over two deductions, if that makes it easier.
Scott hangs up feeling small.
not just that they've taken money out of his pocket,
but that they don't trust him.
If the computer says the stamps are there, then they're there.
If they're missing from his drawer, then that's on him.
So he pays, right?
In that first case, he pays that 1750,
and he tells himself it's just a glitch,
and it'll work out, and that's fine.
This is his business, he's excited.
But then, yeah, a few days later, the numbers don't add up again,
and the gap's even bigger.
I'm just playing this back in my mind, right?
if he admits the shortfall, then they'll take the money right away and maybe he won't be able
to make payroll. Maybe he won't be able to pay the lease. So he's a businessman. He does what he needs
to do to keep the business running. He forces the period to roll over. He tells the system that he has
the money. He tells them what it wants to hear just to make it through the night, make it to the next
day. And that desperate entry to move forward is what was later called false accounting. That's
what got him put in handcuff. That's the moment where the system of prosecution decided that he was
the villain and he was someone to blame. But here's what's interesting to me, right? Behind that maze
that Scott couldn't see, there was real experts. The ones who could spot a software bug,
they were just hidden inside Fujitsu's back office. And they were trying to fix things. Maybe
they were working very hard. You know, they had a list of known errors, but those never made it out.
and if the problem you had looked like something in their error logs, support might notify them,
maybe it would quietly get fixed, I don't know. But if it didn't, or if no one checked, then you're
stuck. And Fujitsu was swamped with these bugs, but they also kept them under wraps.
This list of known errors, they kept that as an internal list. They never shared it with the post office
support at all. So it's not just a software thing. It's about organizations and culture.
The post office treated every shortfall as a personal debt against the sub-postmasters.
You either had to pay up or they took the money from you.
And it seemed like there was some sort of quiet disdain where this big institution looked down on these village shopkeepers.
People in charge in London while the sub-postmasters are working in their villages.
But there was, at least in theory, another option.
If Scott had known the right phrases and if he was willing to lose pay
and to not just forcibly rolled it over,
he could have refused to roll over the period.
He could have stood his ground, not entering anything,
but not accepting their numbers.
I don't know what would have happened then,
but what I'm imagining is
maybe he eats the cost on that first time,
but the second time he goes all forensic accounting on them.
He starts writing down every transaction.
He starts taking screenshots,
who pressed what, what happened where.
He starts a formal dispute process with them,
says that he wants to report a system defect is very clear about his words
and is very demanding of an audit before any penny is taken from his pay
if he had known that the software had so many issues i mean which of course he didn't
and if he had taken the time maybe he could have shown them or maybe not but maybe he could
have written to his MP maybe he could have got a lawyer to send them a letter
and maybe just maybe that would have pushed them to look into it to get off the script
and then somebody would stop saying it's your problem if the numbers don't balance you just need to pay
if he could get people's attention like that maybe he could get the issue escalated maybe then
fujitsu would have stepped in they would have taken a real look and maybe they would have straightened things out
i do think it's possible but think about what this really means scott's got to operate this business
and all of a sudden now he's got to be a legal expert be a forensic accountant be a site reliability
engineer and use some sort of bureaucratic kung fu to get people's attention while customers
wait in line and want to get their pensions or want to get their packages. He's supposed to risk
his payroll and his reputation and all this hope on the fact that he could make some change
happen. And there were 14,000 subpostmasters. And many of them were having problems. So it's a lot
to get above the noise when you're contacting the support line and their job is to get you
off the line and move on to the next one. And Scott didn't have a map to all of this. He didn't know
that all this was going on. All he had was this useless support line and his lease payment and this cash
drawer that never matched the numbers on his screen and these people telling him he had to pay.
And so the next time, he just entered what the computer wanted him to so that he could open up
his shop and he could do his business. It's a choice that's completely human and totally understandable
and one that would get him arrested. I think it's interesting, sad, but interesting how you can
look at the details of this and see how it ended up where it did. Horizon is the textbook case of
how big software projects go wrong. Yes, the goal was to modernize every post office counter and
replace benefit books with a payment card. But government projects like this have a bad track record.
The bigger the project, the lower the chance of success. And this project was one of the largest
IT contracts in European history. As I mentioned, on paper, this project was supposed to do two things.
the welfare payments and computerize the accounting. But that involved two different agencies and
two different sets of requirements and it all was in one contract and it went sideways. Patrick McKenzie
Patio 11, he's covered stories like this before. He says government software projects fail for
pretty predictable reasons. He says all systems reflect the culture they are created in. No system of
importance can be accurately described without the context of the culture that created it. In other words,
institutions and the culture of how things are done are the hard part of government software,
not the technical details. Because maybe they could have straightened out the technical details,
but things were already a tangle. There was overlapping institutions and there was
conflicting incentives between the software company and the subcontractors and the post office.
And everybody had a contract and everybody was working to contract. And when you build
software to contract, you get something that hits the checkboxes, that has the process.
But maybe it's not working.
The problem is that government procurement processes don't reward working software.
They reward compliance and following the RFP and audibility.
It's like ordering a car with a parts list.
You can check every box for all the pieces of a car,
but end up with something that doesn't actually get you anywhere.
And then because institutions hate admitting failure,
they basically can never admit failure.
The easiest path to salvation when the welfare project failed
was just turning this whole thing into the horizon postman.
master system. This software project is tragic, but it's also kind of fascinating. There's just
so many things that went wrong. And I can't possibly go over everything that went wrong here.
And as Paddyo Levin said, it's more cultural than being a specific person who made a specific
error in a specific place. But for one interesting example, imagine you're going to roll out this system.
It's a nationwide, offline first point of sales system with active users across every small village
and major city in all of the UK.
In other words, it's a lot, right?
And there are a lot of ways to roll out a system like this.
If you're forcing the use of a failed project to save face,
you should consider maybe rolling it out piecemeal,
doing a canary deploy of some sort
or doing some sort of gated rollout.
Try to use the software in a small number of post office-owned stores.
Keep a very close eye on it in small numbers like that.
Maybe just one slow store to start.
but really spend time and make sure each issue is resolved and investigated.
There was actually 115 post office stores that were owned and operated by the Crown.
And so that is a feasible plan.
Just do those 115, investigate every problem, maybe run the system side by side with the old
system and see how it lines up.
That's something I would suggest.
But the institutional reality of large government organizations pushes projects of the scale
towards big bangs.
The software is done.
We had checklists and all the checks have been checked.
No one is going to raise their hand to say, oh, actually, there's this problem over here.
So when Rollout started, in 2000, when these Horizon terminals, when these Windows and T-boxes were bolted to scales and given barcode scanners and receipt printers, it was rolled out to all 14,000 village post offices all at once.
And I'm assuming because before Rollout, we decided that the software was correct and perfect for the task.
I'm using air quotes here, but you probably can't see them.
But because we decided it was correct and perfect,
except for some known issues that actually Fujitsu is keeping to themselves,
there's a simple rule, right?
If your books don't balance, it's because of you and not the software,
and so you must pay the difference.
And that's why, as Scott was taking over his post office shop,
Horizon had all these failure conditions perfectly lined up,
all the things that Paddyo 11 warns about.
So by early 2000, as Scott was taking over his village shop
Horizon had all, you know, the hallmarks that Paddyo 11 warns about. A contract that's optimized
for process over getting the right outcome. Lots of people who can veto things, but yet no single
accountable owner. An architecture that amplifies small glitches into accounting discrepancies
and an institution that's unwilling to admit that there might be fault. So when those glitches
hit, the entire weight of the institution tilted towards prosecuting the subpostmasters
because to admit otherwise would be to admit that the project itself was a failure, right,
that so much money was gone that was wasted.
Or, as Patrick McKenzie puts it, risk rolls downhill.
The ledger goes wrong, the people with the least power end up holding the bag
because they can't prove who's at fault.
That's the interesting thing to me.
When Scott picked up the phone line for help, he didn't reach the people who actually built Horizon.
He got the post office support, and their real job wasn't to escalate bugs.
their job was to keep things from ever reaching Fujitsu because of contracts and processes,
right? Because sending things up to Fujitsu had a cost and it had all the overhead and painful
machinery of a giant government vendor relationship. So the defaults were simple, right? If Verizon
glitched that was Scott's problem. If the Tilden balance, he had to make it good. Small issues never
became system bugs. They became debts because nobody else wants to admit there's a problem.
Fujitsu wasn't going to eat the risk. The post office wasn't going to eat the risk. The post office wasn't going to
eat the risk. So all the risk just rolled down onto Scott. And that's why things did not go well
for Scott, right? He ended up in handcuffs and he was put in front of a judge in court. Yeah,
I naively thought, well, I haven't taken any money. I haven't stolen anything. I haven't done
anything wrong really. If I go to court, the legal system will back me up. But it turns out
it's not quite like that. So I had to plead guilty to Falter County. Otherwise, I would be
going to prison because the judge would have just said, well, you did lose
false accounting, you know.
It was like, oh no, you know, so another lesson there.
A bit naive.
I really did think that it would come to my aid in the end, but it didn't.
So if you plead not guilty, when you are guilty, you don't get a suspended sentence.
So I would have been going.
So I had to plead guilty to keep myself out of prison.
So off to court, I get prosecuted, I get a prison sentence.
I didn't actually go to prison.
I had a suspended prison sentence, which meant I couldn't travel, I couldn't say, I couldn't
come to Toronto.
And also because his story is in a small village, his arrest was front page news.
I'm in the newspapers as like this crooked postmaster, dishonest postmaster, you know.
So what are people going to think about that, you know?
Luckily, the people that knew me, they knew something wasn't right.
But the wider public that knew me that, you know, from having this post office, they didn't
know, did they?
They presumed I've been up to no good.
Then the next problem, Scott can't operate his store anymore.
He doesn't have a license to operate as a postmaster.
Yeah, well, that's right.
I own the business.
We had a loan taken out against our home,
which was work, everything was working fine up until this point.
And suddenly now, the business has been closed,
but I've still got the loan against it to pay.
The shop closed down now and the post office closed down.
I avoided bankruptcy.
Somehow, it's a long story, but I managed to avoid bankruptcy, which can get you out of debt,
but it means, well, a decade of, you know, trouble.
You can't even get a bank account and things like that if you've been made bankrupt.
But anyway, I avoided that, and somehow he managed to hang on to our home and get rid of the lease
from the shop and everything, but it was just disaster, you know.
I was in debt, had county court judgments against me for suppliers that I couldn't pay.
not large amounts but it's just embarrassing you know i'd had a great relationship with all these
suppliers for years you know now i can't pay him you know and then having to take me to court
and everything it's just so embarrassing and was this hard for you like mentally emotionally yeah it was
yeah yeah it really was i mean you just felt down you felt when you walked around your hometown
that people were going oh that's that guy it's that guy there we read about him you know even if they
weren't. He felt like that. And so wandering around, going for any socialising, you're always
wary of our people looking at me. This goes on for quite a long time. It's probably irrational because
as you know, you're in the news for a day and people generally forget, I don't know if they
forget about that kind of thing. So, you know, it's irrational, but this is the kind of anxiety that
causes in you that goes on for quite a long time, honestly, in many years. I couldn't get a job,
because, you know, I don't know where it's like where you are.
but you have to, on job applications, you have to say if you've got any criminal convictions.
And if you say no, you're committing another offence, you know.
So you have to say yes.
And come on, it's human nature on job applications.
If people have got a current criminal offence, they're going to stand a much less chance, aren't they, have been employed?
So that was a position I was in.
So I'd gone from earning pretty good money, doing this business, to state benefits,
unable to find a job for three and a half years.
and I got an 80-year-old daughter at this time.
For years, the post office blamed Scott for all those losses,
but the full story only came out much later,
20 years on when a public inquiry finally made all the details public.
Everyone finally saw that people like Scott
were broken by the very organization they wanted to serve.
For most people in the UK,
Scott and the other sub-postmasters were the face of the post office.
They were the friendly person helping you with your pension statement,
selling you your stamps, weighing your Christmas parcel.
Those were the people you trust.
they're the last ones the organization should turn against because they're the heart and the
face of your business. I don't know how they could sleep at night. I don't know how they could go on
holiday with the families and knowing that this is going on and they would say nothing about it.
But in big corporations, it appears that there's this kind of group think mindset, you know,
that people just do not, they just don't rock the boats, you know, they just keep the head down
and carry on despite knowing what's going on.
It's true. I have worked on similar software projects before. I worked on something that was not unlike Horizon, but for a big Canadian government project. It didn't go well. It didn't go as badly as this, but that's not really saying much because, I mean, this went incredibly bad. But that's what makes this so interesting for me, because I can understand what it's like to be the people at Fujitsu or what it's like to be the support person. But I want to say, I think we all have a duty to be good citizens to the world, even in our commercial endeavors. We need to sometimes
the corporate blinders off and see what's going on in a wider context. It's easy in an organization
to feel compartmentalizing that you don't have a role in the things that you're doing. But you do,
right? And there was in fact a whistleblower from within Fujitsu, and he was helpful to unraveling
this whole thing. But there should have been more people coming forward. There should have been more
people trying to resolve things. And there should be more in the future. If your ride share company
is quietly shorting drivers on their pay and you know about it, you know, speak up, tell somebody, tell
me when you notice something at work that feels off when you realize your organization might be in
the wrong don't just ignore it take a closer look see if there's a way that you can do the right thing
even if it's not your job description it's hard to do i get it you're busy but if someone is going to jail
because of a software bug or losing their health coverage or not getting paid for their work when they
really need to get paid then that matters because these risks often roll downhill gig workers are hit the
hardest and they're the least able to shoulder these burdens. So if you see something, say
something. That's why I wanted to share this episode. Doing the right thing isn't easy,
but it is possible. Thankfully, though, the UK, I think they may have learned their lesson.
I think that's one thing that's going to come out to it, which will help future. It'll stop
the people just saying the computer says this, you're on it, and people go into prison,
you know, so it will stop that thing. But as for software,
company, they said, oh, there has to be a duty of candor somehow.
They can't load the risk of their systems onto other people, which is what they did.
Every system's got false.
I mean, so what?
But if they flagged up on your screen that there's been a fault, there's been a bit of a discrepancy in your
branch for putting it right, you'd just have faith in the fact that this system's
constantly being, you know, looked after.
But instead, there was none about, and off to prison we went, you know, that kind of thing.
It all seems so Victorian now already, you know, that's how they treated people.
So I don't know how it's going to work for the ordinary people in the future, but yeah,
things are going to change, let's see if it changes for better protection.
For Scott, things still haven't worked out.
Between 2017 and 2019, 555 sub-postmasters, of which Scott was won, sued the post office,
and they won.
But after legal fees, which ate like half the money,
They each got about 20,000 pounds.
And Scott, along with 62 others, didn't get anything at all
because they had Horizon-related convictions.
They were excluded from the payout because they had pled guilty.
You plead guilty, you get nothing.
But then in 2024, a TV drama about the scandal caught the attention of the prime minister,
and now new legislation is probably going to overturn Scott's conviction,
and it's probably going to help them get compensated.
But it hasn't happened yet, right?
These things move slowly.
And it's been over 20 years.
We started back in 2005 with Scott sitting in a parking lot, counting customers.
Back then, he was excited about the post office, but now he feels completely different.
Oh, yeah, I don't even like the vans going fast with the sign on the side.
You know, I can't even stand to see that.
I turn away from that, you know.
So, no, I'll try me best not to go in one.
I can't remember the last time I went to one, actually.
I think I did have to go in one at some point in the last 10 years, but it's been a long time.
I won't go in if we can help.
I hate the thoughts of it, really.
That was the show. Thank you to Scott Darlington for sharing something that I hope most of us will never have to live through.
His book, signed, sealed, destroyed, tells more of that story. It's a self-published book, and I loved it.
I don't know if you can tell, but I can't say which specific horizon defects affected him.
you heard here is kind of my reconstruction based on looking through all the documents.
Because of the inquiry, there was a giant trove of documents released, and I found it interesting
to dig through them and to try to imagine what this was all like and what it was like to be
an engineer or a support person at Fujitsu or at the post office. If you want to see the story
from another angle, check out Mr. Bates versus the post office. It's a dramatization of some of the
key events in the scandal. I've not watched it at all because I heard about the story and I
kind of wanted to pursue my own path. I wanted to talk to a victim and I wanted to dig through
the documents, which is something I like doing. Maybe I'm a bit of a weirdo, but I'll probably
watch it now and it'll probably make me think of all the things I should have done to make this
episode better. Also, a huge credit to Computer Weekly. They are a long-running online publication
for IT professionals and they broke the story. For years, they covered
the failures of the Horizon system in more depth than any mainstream outlet could ever get away with.
And because of that and because of postmasters who refused to give up, there was this inquiry
and things did get resolved. But yeah, thanks to the team at Computer Weekly, that is incredible
work. And because Scott is more than just, you know, a downtrodden victim of the post office,
here's some music I found Scott performing with some rowdy people yelling in the background.
Don't know who owns this music. Please don't sue me.
And until next time, thank you so much for listening.
Ring out the bells
Ring out the bells
Ring out the bells
Ring out the bells
Ring out the bells
Ring out the bells
Ha ha ha ha ha
You'll go ahead
You'll never miss
What's your hat's just a deadly kiss
If I have the time to explain it all
If it's time to ring out the mouth
Yeah, it's hard to ring out the mouth
Bringing out the mouth
Yeah, bring out the mouth
Why you fucking win?
Woo!