FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
and 5B, MC Rules 1981, r 70)
Statement of Penelope Anne Thomas
Age if under 18 Over 18 (If over 18 insert ‘over 18')
This statement (consisting of I pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the day of 2010
Signature
I have been employed by Fujitsu Services, Post Office Account, since 20 January 2004 as an
Information Technology (IT) Security Analyst responsible for audit data extractions and IT
Security. I have working knowledge of the computer system known as Horizon, which is a
computerised accounting system used by Post Office Ltd. I am authorised by Fujitsu Services
to undertake extractions of audit archived data and to obtain information regarding system
transactions recorded on the Horizon system. During 2009/2010 the Horizon system was
upgraded to Horizon HNGX and the detail contained in this witness statement refers to audited
transaction records generated by this upgraded system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. Clerks log on to the system by using their own unique User ID
to that particular Branch. The transactions performed by each clerk, and the associated cash
and stock level information, are recorded against a stock unit and retained in a central
database. Once logged on, all completed customer sessions performed by the clerk must be
recorded and entered on the computer and are accounted for against the user's allocated stock
unit on the central database. Communications between the counter and the Data Centre are
carried out over a Local Area Network within the Branch, connecting through to a Branch
Signature Signature witnessed by
CS011A (Side A) Version 7.0 0308
FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
Router in each Branch. The Branch Router is then able to communicate over a variety of
possible Network types including ADLS, ISDN, GPRS, Satellite or PSTN (depending on local
availability) to the Data Centre. All communications are digitally signed at the counter, using a
key that is established as part of the Log On process, and all communications are passed via a
Virtual Private Network, preventing the information being intercepted or tampered with between
the Counter and the Data Centre. Digital Signatures are checked upon receipt in the Data
Centre to prevent tampering.
The Horizon system provides a number of daily and weekly records of all completed
transactions input into it. It enables Post Office users to obtain computer summaries for
individual clients of Post Office Limited e.g. Alliance & Leicester. The Horizon system also
enables the clerk to produce a periodic balance of cash and stock on hand combined with the
other transactions performed in that accounting period, known as a trading period.
Where local reports are required these are accessed from a button on the desktop menu. The
user is presented with a parameter driven menu, which enables the report to be customised to
requirements. The report is then populated from transaction data that is held in the central
database and is printed out on the printer. The system also allows for information to be
transferred to the main accounting department at Chesterfield.
The Post Office counter processing functions are provided through counter applications that
carry out the following types of transaction: the Electronic Point of Sale Service (EPOSS) that
enables Postmasters to conduct general retail trade at the counter and sell products on behalf
of their clients; the Automated Payments Service (APS) which provides support for utility
companies and others who provide incremental in and out payment mechanisms based on the
use of cards and other tokens and the Logistics Feeder Service (LFS) which supports the
management of cash and currency movements to and from the outlet, principally to minimise
cash held overnight in outlets. The counter desktop service and the counter on which it runs,
provides various common functions for transaction and customer session recording and
settlement as well as user access control and session management.
Signature Signature witnessed by
CSO11A Version 9.0 0209
FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
Information from customer sessions carried out on a counter is written into the central database
at the Fujitsu Services Data Centres. Various systems then transfer information to Central
Servers that control the flow of information to various support services. Details are then
forwarded daily via a file transfer service to the Post Office accounting department and also,
where appropriate, to other Post Office Clients.
An audit of information passed to the central database is taken daily by copying new messages
to archive media. This creates a record of completed outlet session details including its origin -
outlet and counter, when it happened, who caused it to happen and the outcome. These
records are written to audit archive media. Each Audited message passed from a counter to
the Data Centre includes a sequence number (know as the JSN — Journal Sequence Number)
which is incremented by 1 for every audited message.
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT — one hour earlier than local time (BST).
When information relating to individual transactions is requested, the data is extracted from the
audit archive media via the Audit Workstations (AWs). Information is presented in exactly the
same way as the data held in the archive although it can be filtered depending upon the type of
information requested. The integrity of data retrieved for audit purposes is guaranteed at all
times from the point of gathering, storage and retrieval to subsequent despatch to the
requester. Controls have been established that provide assurances to Post Office Internal
Audit (POIA) that this integrity is maintained.
Signature Signature witnessed by
CSO11A Version 9.0 0209
FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
During audit data extractions the following controls apply :
1. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physical security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access.
2. Logical access to the AW and its functionality is managed in accordance with the Fujitsu
Services, Post Office Account Security Policy and the principles of ISO 17799. This
includes dedicated Logins, password control and the use of 2-factor access control.
3. All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQs), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
Extractions are only made by authorised individuals.
Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
7. Checksum seals are calculated for audit data files when they are written to audit archive
media and re-calculated when the files are retrieved.
8. To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
value calculated when the file was originally written to the audit archive media. The
result is maintained in a Check Seal Table.
9. The specific ARQ details are used to obtain the transaction records.
10. The files are copied to the AW where they are checked and converted into the file type
required by Post Office Ltd.
11. Digital signatures that were generated at the time that messages were originally sent
from the counters to the Data Centre are checked as being correct.
12. Checks are made using the JSN that all audited messages for each counter in the
Branch have been retrieved and that no messages are missing.
13. Windows Events generated by the counters within the branch/timeframe in question are
checked to ensure the counters were functioning correctly.
Signature Signature witnessed by
CSO11A Version 9.0 0209
FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
14. The retrieved audit data is encrypted using PGP encryption and held on the AW in the
encrypted form.
15. The requested information is copied onto removable CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail's Special Delivery Service. This
ensures that a receipt is provided to Fujitsu Services confirming delivery.
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the Post
Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as Exhibit
(INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in accordance
with the requirements of ARQ(NUMBER) and followed the procedure outlined above. I produce
the resultant CD as Exhibit (INITIAL/NUMBER). This CD, Exhibit (INITIAL/NUMBER), was sent
to the Post Office Investigation section by Special Delivery on (DATE).
The report is formatted with the following headings:
ID - relates to counter position
User - person logged on to the system
SU - stock unit
Date - date of transaction
Time - time of transaction
Sessionld - a unique identifier for a customer session for a given counter within a
branch
Txnid - an identifier for a transaction within a customer session
Mode - a numeric representation of the type of transaction, eg. Mode 1 translates to
Serve Customer
ProductNo - Horizon Online product code
Qty - number of items sold
SaleValue - cost of items sold
EntryMethod - identifies how the transaction was initiated (0 = barcode, 1 = manually
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
Signature Signature witnessed by
CSO11A Version 9.0 0209
FUJ00122949
FUJ00122949
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
The Event report is formatted with the following headings:
Groupld - PO outlet branch code.
ID - counter position
Date - date of transaction
Time - time of transaction
User - person logged on to the system
stockUnit - stock unit
reportingEventld - event number as used in the Branch’s Event Log
eventDetailMsg - event description
There is no reason to believe that the information in this statement is inaccurate because of the
improper use of the system. To the best of my knowledge and belief at all material times the
system was operating properly, or if not, any respect in which it was not operating properly, or
was out of operation was not such as to effect the information held within it.
Any records to which I refer in my statement form part of the records relating to the business of
Fujitsu Services. These were compiled during the ordinary course of business from information
supplied by persons who have, or may reasonably be supposed to have, personal knowledge
of the matter dealt with in the information supplied, but are unlikely to have any recollection of
the information or cannot be traced. As part of my duties, I have access to these records.
Signature Signature witnessed by
CSO11A Version 9.0 0209