The Register

A new court filing has revealed the UK’s Department for Work and Pensions accepted a bid from Capita to run its new Oracle-based HR and finance system at £272 million less than its own cost modelling. In March, the UK outsourcing company won the contract for running shared services for £370 million over ten years. The central government department had earlier produced a "Should Cost Model" — designed to protect against a bias towards low bids — which provided a total price of £642 million, according to court papers. Capita’s bid was 42 percent less than the “should-cost” estimate. Since January, the deal to run HR and finance systems for four UK government departments has been the subject of a legal claim from rival bidder Sopra Steria, which alleges Capita's bid was "abnormally low" and based on staffing "significantly below the current levels." Capita has already told The Register it took part in a robust procurement process and stands ready to work with the DWP to ensure a smooth transition of service and value for money. A DWP spokesperson has previously told us: "We have signed a contract with Capita to deliver the Business Process Service and are committed to ensuring a smooth transition. Our priority is continuity of service and value for money for the public." Through its subsidiary SSCL, Sopra Steria has been running back-office shared services for the DWP, the Ministry of Justice, the Cabinet Office and the Department for the Environment, Food and Rural Affairs, based on Oracle eBusiness Suite 12.2.6, since 2013. In 2024, the DWP led the procurement for a new Oracle-based SaaS system and awarded the deal to IBM and Big Red for £711 million ($950 million), with the Home Office set to join the shared service at a later date. Capita’s 10-year deal to run the Business Process Services (BPS) for the group of Whitehall departments — known as the Synergy cluster — is part of the government's shared services strategy it says will offer £4 billion in benefits. In its defense against the claim, the DWP alleged that Sopra Steria was in breach of an “Ethical Wall Agreement” by basing its case on a document the department sent in error. A Sopra Steria spokesperson told The Register: "Sopra Steria was not excluded by the DWP from the procurement, and we do not accept that there was any breach of the Ethical Wall Agreement." In its defense, the DWP also alleged that Sopra Steria’s bid was “excessively high.” In the recently disclosed reply to the defense, Sopra Steria denies that claim by producing evidence from the "Should Cost Model" the department developed during the procurement in accordance with Cabinet Office guidelines. The model put the contract price at £642 million. Sopra Steria notes its price was less than the model price, and not "excessively high" as the DWP alleged, although details of its bid are redacted. Cabinet Office guidelines state that complex outsourcing projects shall produce a “Should Cost Model Estimate” as part of the delivery model assessment. They refer to a Sourcing Playbook which states that the model can help “demonstrate value for money, to inform the development of payment mechanisms or to help protect government from ‘low-cost bid bias’.” The Playbook says that if a bid is more than 10 percent lower than either the average of the other bids or the “Should Cost Model” estimate, it should be referred to the Cabinet Office’s Government Commercial Function. The Register asked the DWP if it had referred the Capita bid in that way. Officials said it would be inappropriate to comment further, as the procurement is currently subject to an ongoing legal process. Last month, during a hearing of the UK’s Parliamentary spending watchdog, Labour MP Clive Betts questioned why the DWP would pick Capita after its performance on the Civil Service Pension Scheme, which has sparked protests. Users of the pension portal launched last year were quick to complain about login failures, broken links, and unfinished-looking pages after the launch. MPs later heard the system went live without full functionality in place and struggled to handle the volume and complexity of cases transferred from the previous administrator, MyCSP. Dianne Jeans, DWP Senior Responsible Officer for the Synergy Programme, told the Public Accounts Committee that the shared service award was “a very different scenario than from pensions.” She said the award to Capita followed all the government regulations and processes. “We also had strong legal and commercial oversight and subject matter experts from all four Departments assessing the competing bids throughout the whole process. Capita emerged as the clear preferred bidder under Government procurement processes,” she said. ®

A City of York Council email mishap exposed the email addresses of hundreds of Blue Badge holders in the ancient Viking capital, inadvertently revealing their status as disabled residents and triggering a data breach investigation. The council confirmed to The Register that it’s investigating what it described as a "personal data breach" after emails sent to residents last week were distributed without using the blind carbon copy (BCC) function, allowing recipients to see everyone else on the mailing list. According to local reports, the council sent three emails containing Blue Badge-related updates before issuing a fourth message acknowledging the error and asking recipients to delete the previous emails, including from their deleted items folders. Recipients were also warned to remain alert for suspicious messages following the incident. While the exposed information appears to have been limited to email addresses, the breach is especially sensitive because everyone on the distribution list was receiving communications intended for Blue Badge holders. In practice, that meant recipients could identify hundreds of people as members of a group generally associated with disabilities or mobility impairments. One affected resident told local media that the disclosure had left her upset because most people in her life were unaware she held a Blue Badge. "Honestly, I think it's just disgusting – we've been given the details of hundreds of disabled people, which feels unsafe," she said. In a statement to The Register, a spokesperson at City of York Council said it activated its data breach procedures as soon as the error was identified and is conducting a risk assessment in line with guidance from the UK Information Commissioner's Office. "We're working carefully to establish exactly what's happened, alongside conducting a thorough risk assessment ... to understand any potential impact on individuals," a spokesperson said. “Our investigation is ongoing, and we’ll continue to be as open as possible while ensuring the accuracy of the information we provide.” The spokesperson declined to say how many individuals were affected or whether the issue was caused by human error or a technical issue. The council added that it was assessing whether the incident meets the threshold for notification to the ICO within the statutory 72-hour reporting window. That may depend less on the email addresses themselves than on what the mailing list revealed. A spokesperson at the ICO told The Register: "We can confirm that we have received a data breach report on this matter, and following an assessment of the information provided we have closed the case with advice given.” For all the talk of AI-powered cyber threats, it seems some organizations remain committed to the classics. ®

Britain's National Crime Agency (NCA) has been told to urgently overhaul an IT estate so dysfunctional that officers say they are fighting serious organized crime despite the technology rather than because of it. A new report by HM Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has delivered a bruising verdict on the National Crime Agency's tech, concluding that the systems underpinning Britain's fight against organized crime are no longer up to the job. The criticism lands despite inspectors otherwise finding much to like. The NCA was graded "Good" in several operational areas, including tackling serious and organized crime and working with partners. But throughout the report, inspectors repeatedly return to technology as a fundamental weakness running through the entire organization. "The NCA's IT infrastructure isn't fit for purpose," the report states. Inspectors backed that assessment with a long list of examples, from officers manually re-entering data and sharing information by hand to teams relying on spreadsheets and other workarounds due to a lack of confidence in official systems. According to the report, around 70 percent of critical IT incidents each month are linked to that technical debt, the result of years spent prioritizing short-term fixes over long-term modernization. Officers told inspectors they did not trust the agency's systems, while others described technology as a major drag on productivity. One interviewee summed up the mood: "IT is a blocker; we achieve in spite of it." Another was even less flattering. "When I started in policing 15 to 20 years ago, I had better technology than I do in the NCA." The report paints a picture familiar to anyone who has worked in a large public sector IT environment. Officers told inspectors they routinely enter the same information multiple times, rely on manual processes, and manually transfer data to external partners. Some said the agency lacks even a basic personnel directory, making it difficult to find the right colleague when they need help. While the NCA operates a corporate system called ATLAS CM, inspectors heard that officers are using as many as 50 different case management methods across the agency, including spreadsheets and other manual workarounds, often due to a lack of confidence in the official platform. The agency's security architecture has also produced its own headaches. Because data sits across multiple government security classifications, many officers reportedly require at least two laptops to do their jobs. Inspectors spoke to some staff who were using four separate machines and said they witnessed the resulting inefficiencies firsthand. In a separate HMICFRS inspection published last year, inspectors found the agency was still relying on around 260 legacy IT systems more than a decade after beginning a project to modernize IT, with technical debt consuming roughly 80 percent of entire IT budget. These ongoing IT problems appear to be taking a toll on morale as well. In the NCA's 2024 staff survey, only 33 percent of respondents said they had the tools needed to do their job effectively. Inspectors concluded the problems are not solely the NCA's responsibility. They also pointed the finger at the Home Office, arguing that short-term funding cycles and a lack of coordinated investment have slowed modernization efforts. HMICFRS has given the NCA and Home Office until September 30 to explain how they intend to dig the agency out of its technology hole, complete with timelines, funding requirements, and a plan to retire aging systems. Criminals may have embraced ransomware, encrypted communications, and industrial-scale cybercrime. But according to inspectors, the NCA is still trying to get some of its own systems to talk to each other. ®

Train travellers are poorly served by the UK’s mobile networks, says Ofcom. Tests on railway lines in England, Scotland and Wales revealed disappointing signal across 24 rail segments, with results falling short in 83 percent of cases. The communications regulator is now calling for a nationwide effort to raise the standard of mobile coverage passengers can expect. On-board Wi-Fi was also tested by Ofcom and it performed well just one percent of the time. This writer can attest that on train journeys to London, the mobile network signal is often too weak to allow doom scrolling on social media - which is perhaps no bad thing. Ofcom’s report [PDF] found that even the best performing network (EE) met the Good Performance threshold less than half the time, while Three, O2 and Vodafone could only achieve this between 17 and 21 percent of journeys. For the purpose of the tests, Good Performance was defined as a download speed of at least 5 Mbit/s, an upload speed of at least 1.5 Mbit/s and a response time (latency) of 50 milliseconds or better. This level should allow a passenger to stream video or browse the web without noticeable delays. Ofcom tested cell performance on main line rail journeys, and most of these were in England, with a few in Scotland and just a solitary line along the south coast in Wales. Northern Ireland was not included in the tests. According to the results, the best performance was on the London Victoria to East Croydon line, south of the capital, or London to Bristol – but only for EE users. The problem is down to weak mobile signal strength along rail corridors, which can be further attenuated by certain types of rail carriage, Ofcom says. Rural and intercity passengers unsurprisingly experience a worse service than those in urban areas, where there are more cell base station sites. However, latency turns out to be the main reason why tests failed to meet the Good Performance threshold. Even when download and upload speeds were adequate, network delays proved to be the bottleneck, Ofcom says. One aspect of the study relates to the technologies operating across the four networks. EE has a roughly even three-way split between 4G, 5G Standalone (5G SA), and 5G Non-Standalone (NSA), which the report says “represents the most advanced 5G deployment observed in the study.” Three remains predominantly a 4G network along the rail corridors, accounting for 68 percent of samples, 32 percent as 5G NSA and no 5G SA encountered during testing. Vodafone and O2 sit somewhere between these findings. Despite Vodafone and Three sharing their networks as part of their ongoing merger, Three users were not able to use Vodafone 5G SA at the time of the survey, Ofcom found. In the case of Wi-Fi, only South Western Railway, which is testing a trackside millimeter-wave tech, delivered a meaningful service as part of their technology trial, Ofcom says. Throttling by train operators is too severe, it found, with caps of about 1 Mbit/s on some routes preventing passengers from enjoying Good Performance. The on-board service also used older standards, typically Wi-Fi 4 or 5. In-train connectivity does not yet consistently meet the expectations of modern passengers, the report concludes, with significant variation by route, operator and time of day. Improving the experience will require coordination between mobile operators, train operating companies and others, plus supportive policy and regulatory frameworks. Kester Mann, CCS Insight director for consumer and connectivity, told us: "bringing reliable mobile connectivity to trains is hugely challenging. It requires connecting to multiple masts and other network infrastructure while travelling at speeds of 100 MPH or more. Tunnels and cuttings make the job even more demanding." He said many tracks pass through rural areas where mobile coverage is weak or absent. "Poor signals on trains is a regular customer frustration that the mobile industry, Government and train operating companies have long struggled to address." The regulator wants to hear from interested parties on the issues raised in this report, and welcomes responses between now and July 29. “People rightly expect connectivity they can count on - and delivering it will require a joined‑up national effort,” said Ofcom’s Group Director for Infrastructure and Connectivity, Natalie Black. ®

ON CALL Buckle in, dear readers, for an extreme installment of On Call, The Register's reader-contributed Friday column in which we share your stories of superlative tech support scenarios. This week, meet a reader we'll Regomize as "Solomon" who sent a story from his time working for a county sheriff's office. "I usually arrived early in the morning to get my daily stuff done before the phone calls started," Solomon told On Call. "One morning I found the Major waiting for me. He told me to follow him. I said I needed to clock in. He replied that he'd already done that for me." That told Solomon time was of the essence, an impression that proved correct as the Major broke into a jog and led him to a waiting patrol car in which the officer explained that Solomon was coming along on a raid that might need someone with IT skills to mop up afterward. "We sped through streets, with no lights or sirens," Solomon wrote. "The Major didn't say anything except 'You're a good man.'" That's when Solomon noticed the Major was wearing a bulletproof vest and carrying a belt that held a few extra magazines of ammunition. At which point he became more than a little worried. His mood didn't improve when the patrol car came to a sudden halt and the Major told him to stay in the vehicle – no matter what happened. Solomon did as he was told and soon noticed several other patrol cars arrive and heard a disconcerting increase in radio chatter. So many personnel appeared he wondered if a full-blown SWAT team might be needed for the job. "Just then, two tactical vehicles came roaring down the street from behind me and sped around the corner," Solomon told On Call. Then he heard a lot of shouting, and his mind started to race. "I need a bulletproof vest and a fully automatic rifle. I haven't been to church for years." About 20 minutes later, the Major returned and told Solomon he wasn't needed. "No computers here," the Major said, explaining the situation with a cryptic "Things moved faster than expected." Some of the officers who worked on the raid invited Solomon along to lunch after. "The burger I ate that day was the best I'd ever had in my life, I was so relieved," he told On Call. What's the most dangerous situation you've encountered while delivering tech support? Be brave and click here to send On Call an email so we can help other readers partake of your peril in a future column. ®