FUJ00087100
FUJ00087100
To: Harvey MichaelI[f. ; Davidson James: GRO }
From: Jenkins Gareth Gl[/o=Exchange/ou=AdminGroup1/cn=Recipients/cn=Gareth.Jenkins]
Sent: Tue 4/15/2014 11:33:43 AM (UTC)
Subject: I RE: Strictly Private & Confidential - Subject to Privilege
Mike,
The answer is slightly different depending on whether we are talking about the old Horizon (2010 or earlier) or the new Horizon
Online (2010 onwards).
However in both cases the injected transactions would be visible in any local reports the Postmaster may view and also in the audit
extract. In both cases the Audit extract would show (perhaps not obviously and in different ways depending on the version of
Horizon) that these transactions had been inserted in the data centre and not taken place on a normal counter.
Our processes should ensure that POL have signed off on any occasion when such data was inserted.
Regards
Gareth
Gareth Jenkins
Distinguished Engineer
Business Applications Architect
Post Office Account
FUJITSU
Lovelace Road, B
nell, Berkshire, RG12 8SN
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
sé Please consider the environment - do you really need to print this email?
From: Harvey Michael
Sent: 15 April 2014 11:09
To: Jenkins Gareth GI; Davidson James
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Gareth and James,
With respect to the inserted data — can you provide a little more detail as to the audit trail that addition of data leaves. So
notwithstanding that we haven’t used it, if we were to use, would the sub postmaster or Post Office be able to see it in the audit
record. I assume this is the case and so can we make it explicit. We need to be cognisant of the point that these two individuals are
attempting to make — they are trying to say that FJ have changed data and so in answers Post Office’s explicit questions, the
underlying answer must be:
1- When we have and why (i.e. the 2010 incident); and
2- If we had, the following audit trail would be left demonstrating we had done it — no audit trail means we could not have
changed the data.
I’m in with a customer at the moment but if you want to talk, IM and Ill try and step out.
Thanks
FUJ00087100
FUJ00087100
Mike
From: Jenkins Gareth GI
Sent: 15 April 2014 09:31
To: Davidson James
Cc: Harvey Michael
Subject: RE: Strictly Private & Confidential - Subject to Privilege
James,
As discussed, I have added in my thoughts / responses below (prefixed [GIJ]).
V'll ring later to go through these responses with you.
Regards
Gareth
Gareth Jenkins
Distinguished Engineer
Business Applications Architect
Post Office Account
HO
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
By Please consider the environment - do you really need to print this email?
From: Davidson James
Sent: 14 April 2014 16:20
To: Jenkins Gareth GI
Cc: Harvey Michael
Subject: Fwd: Strictly Private & Confidential - Subject to Privilege
Gareth,
Can you start looking at this please and will call to discuss.
James
Sent from my iPhone
Begin forwarded message:
From: Rodric Williams
Date: 14 April 2014 15:59:18 BST
To: Davidson James <i...
Subject: Strictly Private & Confidential - Subject to Privilege
James,
FUJ00087100
FUJ00087100
Could Fujitsu please answer the questions below so that we can respond to a specific challenge put to us by Second
Sight in connection with a Mediation Scheme complaint, namely that:
"the Andy Winn/Alan Lusher email in the case of Ward [...] explicitly states that Fujitsu can remotely change the
figures in the branches without the SPMs’ knowledge or authority".
The Winn/Lusher email is attached. The part of the email in question is:
“Fujitsu have the ability to impact branch records via the message store but have extremely rigorous procedures in
place to prevent adjustments being made without prior authorisation - within POL and Fujitsu these controls form the
core of our court defence if we get to that stage.”
Questions:
1. Can Post Office change branch transaction data without a subpostmaster being aware of the change?
[GU] No
2. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change?
[GlJ] Strictly No, in that data cannot be changed. However additional data can be inserted, but this is very rare. The
mechanisms for doing this were very different between the old Horizon system and the new Horizon Online system.
In response to a previous query we checked last year when this was done on Horizon Online and we found only one
occurrence in March 2010 which was very early in the pilot.
We don’t have explicit details for the old Horizon system, however it would be clear from the spreadsheets
produced from the audit trail if such data have been injected as it would appear to have been written at the Data
Centre and not at the counter.
3. If not, where is the evidence for this conclusion?
[GU] see above
4. If so:
a) How does this happen?
[GU] See above
b) Why was this functionality built into the system design?
[GJ] To allow for data to be corrected if there were any defects found in the system
c) Why would Fujitsu need to use this functionality?
[GI] as above and then only under instructions from Post Office Ltd.
d) What controls are in place to prevent the unauthorised use of this method of access?
[G1] This is controlled by the normal Operational procedures for any change to be made to the system. (Ops should
have the details - these processes are audited)
e) When has branch data been accessed in this way in the past?
[GIJ] As above only once on Horizon Online. I don’t know about Horizon, but I believe it was very rare.
5. In relation to the Winn/Lusher email:
a) Whatis "message store"?
[GJ] This is the repository (or database) where all transactions were written to in the old Horizon system
b) Can this be used to access and change branch records?
[GJ] It can be used to access the records. Data cannot be changed, but new data could be inserted into it. Any such
inserted data would be tightly controlled by operational processes.
c) What is the "impact" of this change on branch records?
[GI] The impact would depend on exactly what records were inserted.
d) Would the subpostmaster be aware of this change?
[GIJ] not necessarily
e) Why would this method of access be used?
[GlJ] To correct errors resulting from software defects.
f) What controls are in place to prevent misuse of this method of access?
[GU] Standard operational processes.
Please let me know if it would be easier to address these in a phone call in the first instance.
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
FUJ00087100
FUJ00087100