Database Error Causes Unbalanced Budget
This story of a database error cascading into a major failure has some interesting security morals:
A house erroneously valued at $400 million is being blamed for budget shortfalls and possible layoffs in municipalities and school districts in northwest Indiana.
[…]
County Treasurer Jim Murphy said the home usually carried about $1,500 in property taxes; this year, it was billed $8 million.
Most local officials did not learn about the mistake until Tuesday, when 18 government taxing units were asked to return a total of $3.1 million of tax money. The city of Valparaiso and the Valparaiso Community School Corp. were asked to return $2.7 million. As a result, the school system has a $200,000 budget shortfall, and the city loses $900,000.
User error is being blamed for the problem:
An outside user of Porter County’s computer system may have triggered the mess by accidentally changing the value of the Valparaiso house, said Sharon Lippens, director of the county’s information technologies and service department.
[…]
Lippens said the outside user changed the property value, most likely while trying to access another program while using the county’s enhanced access system, which charges users a fee for access to public records that are not otherwise available on the Internet.
Lippens said the user probably tried to access a real estate record display by pressing R-E-D, but accidentally typed R-E-R, which brought up an assessment program written in 1995. The program is no longer in use, and technology officials did not know it could be accessed.
Three things immediately spring to mind:
One, the system did not fail safely. This one error seems to have cascaded into multiple errors, as the new tax total immediately changed budgets of “18 government taxing units.”
Two, there were no sanity checks on the system. “The city of Valparaiso and the Valparaiso Community School Corp. were asked to return $2.7 million.” Didn’t the city wonder where all that extra money came from in the first place?
Three, the access-control mechanisms on the computer system were too broad. When a user is authenticated to use the “R-E-D” program, he shouldn’t automatically have permission to use the “R-E-R” program as well. Authentication isn’t all or nothing; it should be granular to the operation.