PraxIS Apr. 2007

07-04 Contents: Historic CC theft, Enforcement, ScanXLS 2007, Spreadsheet audit course, news and downloads

ISSN 1649-2374 This issue online at   [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Biggest credit card theft - so far
     Consequences - the stick
     Human Error
2) ScanXLS 2007
     List all your spreadsheet files with an overview of their contents
3) Spreadsheet Best Practices training, Dublin
     Learn how to detect and prevent errors
4) Spreadsheet news
     New products, free downloads
5) Off Topic
     Photos and short video clips from Iceland
20 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

My big news this month is the release of version 3 of ScanXLS. I also announce my next public course in spreadsheet checking techniques. There are discounts for buying within the next week!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Biggest credit card theft - so far

45.7 million people were hit in the biggest ever credit card security breach in history. Customers who shopped at the companys TK Maxx stores in the Ireland, the UK, Canada and Puerto Rico were all targeted and the hackers were able to witness unencrypted credit card data as payments were processed between store tills and the banking networks. The data was accessed on TJXs systems in the UK and in Massachusetts over a 16-month period and the data accessed covered credit and debit card transactions dating as far back as December 2002. The company also disclosed that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.  In Florida, the gang used the cards once to buy $400 gift tokens. These were then convertible later, and there was no way to link a gift token number to the card number used to purchase it.

TJXs SEC filing is listed at:

Encryption that was later introduced didn't work because the intruder had access to the decryption tool for the encryption software. That probably occurred because the tool was stored on the same computer as the encrypted file. Scoping the damage done is made more difficult because not only did the intruder cover up their tracks by deleting log files, the company also routinely deleted transaction files ... but too late to avoid the hack.

The incident has already cost the firm $5 million in expenses related to the investigation, cleanup and shoring up of security measures, with future costs including compensating potentially huge numbers of fraud victims.



Consequences - the stick

Kurt Milne quotes a VP of security at one of the world's top 15 largest banks, who said:

"You have to make people responsible for getting things done, and accountable if they are not. You can have a great change control system, configuration management, control every aspect of the environment -- but if people don't follow the process and you are not going to do anything about it, you are not going to make a lot of progress. As an example, at another company I worked for, we had an end of year production freeze with no changes. Yet four changes were detected to the production system. What happened to the people who made the changes? Nothing. What happened to their bosses? Nothing."

A technology approach to what to do when an unauthorised change is detected might be to send the author an email requiring them to take a test on change control policies and copy their manager with their results.

A more person-oriented approach is to always review changes at a regular meeting with management and trace the reason for every exception back to its root cause. If the process needs to be improved, it gets improved; if not, the author knows that unauthorized changes will get management attention.



Human Error

Here is a process focus on the causes of error rather than the characteristics of errors:

Is Your Enterprise An Error Enabler? February 21, 2007 By George Spafford

There are a number of situations that dramatically increase the odds of human error, yet organizations continually fail to manage them. I've snipped just the headings from his article, read it to get the detail:

Increased Complexity
Operating Under Tight Deadlines
Human Fatigue
Task Switching
Insufficient Planning



2) ScanXLS 2007

New version 3 of ScanXLS

April 16th 2007 is the release date of the Excel 2007 version of ScanXLS, my spreadsheet to produce a directory of spreadsheet files and measures of their quality. The price will be 99 euro from 8am BST on Mon 16 April. Readers of PraxIS can order it at the old 59.95 euro price until then.

Differences from ScanXLS 2.3

ScanXLS3 works in Excel 2007 and can process the much larger files in that version, 16384 columns by 1048576 rows.

Sheet Excel lists the Add-Ins available to the current user.

Sheet ScanXLS has added many types of error and suspect constructs. It allows you to specify as many properties and search terms as you wish. It optionally reports a detailed list of cell addresses with errors.

Sheet Links gives the Link Status. A new button Draw Arrows gives a visual indication of the dependencies among the workbooks.

Sheet PQLinks is new, listing the external Pivot Table and Database Query links with the connection string and query text where available.


3) Spreadsheet Best Practices training course, Dublin

Spreadsheet Audit Training Course, Dublin 22 May

The next public one-day training course will be run on Tue May 22 in the training PC room of the Irish Computer Society. Mount St. Crescent, Dublin 2, Ireland. There is an early bird discount of 100 euro until 8am April 22, so talk to your training budget manager now!

also deliver this course in-house tailored to your organization’s specific needs. Individual support can be given and confidential spreadsheets assessed. Contact me for more details on the syllabus.

Participants will learn by a combination of lectures and practical hands on work:



Spreadsheet Check and Control: the book on how to detect and prevent errors Available worldwide from Amazon. Our offer - free shipping to EU.


4) Spreadsheet news

ExSafe from ROISoft debuts

In an article entitled "Spreadsheet security? What spreadsheet security!" Phil Howard of Bloor Research mentions the new tool ExSafe from ROI-Soft, an Irish company: ExSafe adds cell level security and even protection of Excel's temporary files.

I already use SpACE from HMRC and EXChecker from Compassoft in my training courses. Other new products are: Prodiance Spreadsheet IQ is also available on CNET Lyquidity ComplyXL, also Sarah Seddon's blog at



The missing equation editor for Excel Free XLC software gives MS Excel the capability of displaying cell formulae as mathematical equations.



Keyboard shortcuts for Excel

Rickard Warnelid pointed me to his useful list of handy Excel keystroke abbreviations for common commands on his web site

Other versions are available at:  Excel 2000  Excel 2007 - 214 keyboard shortcuts, links to: 



Frankensheet & Mirth

What do you think these words might mean?

Flufferpoint, Spreadalanche, Defart, Frankensheet, Quack-Scholes, Reporticane

They are all winners of the Juice Analytics Sniglets Contest:




Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

I have now uploaded some of the photographs and videos I took during my visit to Iceland in February.

Photographs on Flickr:

VVideos on YouTube:

The videos are short captures of Strokkur geysir, Gulfoss waterfall, and feeding the ducks on Reykjavik pond.


Copyright (c) Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I moderate posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website