BugZero | For Justice to be blind, Risk management needs 20/20 vision: The Full Cost of the HMCTS IT Bug Cover-Up

Governance, Risk and Compliance (GRC) IT Service Management (ITSM)Risk Ratings

For Justice to be blind, Risk management needs 20/20 vision: The Full Cost of the HMCTS IT Bug Cover-Up

A BBC investigation has revealed that an HMCTS IT bug led to missing or overwritten evidence, potentially resulting in court rulings based on incomplete information. While vendors might classify such defects generically as “data loss,” the real impact was far greater — undermining justice, affecting lives, and damaging public trust. This case highlights a critical truth: generic severity ratings cannot capture the real-world consequences of software flaws. Organizations need context-sensitive risk assessments that reflect their unique workflows, obligations, and dependencies. BugZero delivers exactly that capability, with built-in support for organization-specific risk rankings and seamless ServiceNow integration. This ensures vendor-reported bugs are prioritized and addressed based on their actual operational impact, enabling a managed, timely, and effective response aligned to each organization’s risk framework and appetite.

Eric DeGrass

August 19th, 2025

A recent BBC investigation revealed that Her Majesty’s Courts & Tribunals Service (HMCTS) delayed addressing or potentially concealed a serious IT bug that caused evidence to go missing, be overwritten, or vanish entirely. The leaked internal report confirmed that judges across civil, family, and tribunal courts may have made rulings based on incomplete evidence, while HMCTS itself acknowledged it did not fully assess the extent or impact of the data corruption.

On the surface, this might seem like a typical example of a software defect causing “data loss”. The true significance lies in how the flaw unfolded in a real-world, high-stakes environment. This was not simply a technical glitch. It had direct and devastating consequences for justice, the lives of individuals involved in court cases, and public trust in the legal system.

This distinction underscores a vital lesson. Severity labels such as “system outage,” “data loss,” or “poor user experience” are too generic. What really matters is how a flaw interacts with context-specific business processes and real-world consequences. In the HMCTS case, even a seemingly minor technical error had potentially irreversible impact on court rulings.

Organizations must adopt their own context-sensitive risk assessment frameworks, especially when evaluating vendor-reported bugs. Vendors naturally rate flaw severity from a broad, generalized standpoint, which can miss the unique ways defects manifest in specific environments. Each organization has its own workflows, legal obligations, and downstream impacts that generic severity metrics cannot capture.

BugZero was built to address exactly this challenge. By providing built-in support for organization-specific risk rankings and seamless integration with ServiceNow, BugZero ensures that every identified vendor bug is evaluated against the organization’s own risk framework and risk appetites. This makes it possible to guarantee a managed, timely, and effective response based on the true operational impact, not just a vendor’s generic classification.

To learn more about how you can define your own Risk Ratings, https://www.findbugzero.com/contact.