To:
Ce:
From:
Sent:
Subject:
FUJ00087142
FUJ00087142
Davidson JamesI/
Fri 1/30/2015 5:14:52 PM (UTC)
RE: URGENT ACTION : Accessing Horizon
DAVIDSONJ2]
Hi there,
Having looked again at the request from Paula, it appears that the fundamentals around this question are not understood. I suggest
that Paula is briefed along the lines of the following.
1)
4)
5)
6)
No transaction data is held locally in any branch. Transactions are completed and stored in a central database and copies of
all data is sent to a secure audit database.
Sub-postmasters directly manage user access and password setting locally so system access is limited to approved local
personnel only who set their own passwords.
Once a transaction has been completed, there is no functionality (by design) for transactions to be edited or amended.
Each transaction is given a unique number and ‘wrapped’ in a digital encryption seal to protect its integrity. All transactions
are then posted to a secure and segregated audit server.
On approval, there is the functionality to add additional transactions which will be visible and have a unique identifier in
the audit trail. This is extremely rare and only been used once since go live of the system in 2010 (March 2010)
Support staff have the ability to review event logs and monitor, in real time, the availability of the system infrastructure as
part of standard service management processes.
Overall system access is tightly controlled via industry standard ‘role based access’ protocols and assured independently in
annual audits for ISO 27001, Ernst and Young for IAS 3402 and as part of PCI audits.
Hope that helps!
James Davidson
Post Office
Fujitsu
Lovelace Road, Bracknell, RG12 8SN
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
vA Please consider the environment - do you really need to print this email?
From: Mark Underwood
Sent: 30 January 2015 15:50
To: Davidson James
Ce: Kevin Lenihan
Subject: RE: URGENT ACTION : Accessing Horizon
Hi Kevin my proposed answer to the first question below (it can be sent in its entirety to Mel and she can pick and choose). Though
this will need to be signed off by James as accurate.
In terms of the second question, I cannot find anything on the testing carried out. It could very well have been sent to one of my
predecessors but I cannot find it anywhere. James are you able to put something together based upon the email you sent Kevin?
Mark
FUJ00087 142
FUJ00087142
In terms of QL
This question often phrased by Applicants and Second Sight is:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second Sight and Applicants. It
refers generically to "Horizon" but more particularly is about the transaction data recorded by Horizon. Also, the word
"access" means the ability to read transaction data without editing it - Post Office / Fujitsu has always been able to
access transaction data however it is the alleged capacity of Post Office / Fujitsu to edit transaction data that appears
to be of concern. Finally, it has always been known that Post Office can post additional, correcting transactions to a
branch's accounts but only in ways that are visible to Subpostmasters (i.e. Transaction Corrections and Transaction
Acknowledgements) -— it is the potential for any hidden method of editing data that is of concern.
Can Post Office or Fujitsu edit transaction data without the knowledge of a Subpostmaster?”
Post Office confirms that neither it nor Fujitsu can edit transaction data without the knowledge of a
Subpostmaster.
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit, manipulate or remove a
transaction once it has been recorded in a branch's accounts.
The following safeguards are in place to prevent such occurrences:
. Transmission of baskets of transaction data between Horizon terminals in branches and the Post Office data
centre is cryptographically protected through the use of digital signatures.
. Baskets must net to nil before transmission. This means that the total value of the basket is nil and therefore
the correct amount of payments, goods and services has been recorded in the basket. Baskets that do not net
to nil will be rejected by the Horizon terminal before transmission to the Post Office data centre.
. Baskets of transactions are either recorded in full or discarded in full — no partial baskets can be recorded to
the Audit Store.
. All baskets are given sequential numbers (known as Journal Sequence Numbers or JSNs) when sent from a
Horizon terminal. This allows Horizon to run a check at the Data Centre for missing baskets (which triggers a
recovery process) or additional baskets that would cause duplicate numbers (which would trigger an exception
error report to Post Office / Fujitsu).
. All transaction data in the Audit Store is digitally sealed — these seals would show evidence of tampering if
anyone, either inadvertently, intentionally or maliciously, tried to change the data within a sealed record.
. Automated daily checks are undertaken on JSNs (looking for missing / duplicate baskets) and on the digital
seals (looking for evidence of tampering).
From: Davidson James
Sent: 30 January 2015
To: Mark Underwood1
Cc: Kevin Lenihan
Subject: FW: URGENT ACTION : Accessing Horizon
James Davidson
Post Office
Fujitsu
Lovelace Road, Bi
Mob‘f
knell, RG12 8SN
FUJ00087142
FUJ00087142
Web: http://uk.fujitsu.com
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
= Please consider the environment - do you really need to print this email?
Mark,
As discussed, can you hook up with Kevin to review what answers have already been provided to second sight as this should form
the Post Office response.
Thanks,
James.
From: Kevin Lenihan
Sent: 30 January 2015 09:28
To: Newsome Pete
Subject: URGENT ACTION : Accessing Horizon
Pete,
My phone call earlier today refers.
I need some urgent information as per Paula’s note please. Apologies if you’ve had this before but I’m not aware of the history on
this — just point me in the direction of who has that answer and I'll pursue accordingly.
Cheers,
Kevin
Kevin Lenihan I Senior Information Services Manager
EC1V 9HQ
/
From: Paula Vennells }
Date: 30 January 201
To: Mark R Davies
Subject: Urgent: Accessing Horizon
GRO
Dear both, your help please in answers and in phrasing those answers, in prep for the SC:
1) "is it possible to access the system remotely? We are told it is."
What is the true answer? I hope it is that we know this is not possible and that we are able to explain why that
is. [need to say no it is not possible and that we are sure of this because of xxx and that we know this because
we have had the system assured.
2) "you have said this is such a vital system to the Post Office, what testing do you do and how often? When
was the last time?
FUJ00087 142
FUJ00087142
Lesley, I need the facts on these - I know we have discussed before but I haven't got the answer front of mind -
too many facts to hold in my head! But this is an important one and I want to be sure I do have it. And then
Mark, to phrase the facts into answers, plus a line to take the conversation back up a level - ie., to one of our
narrative boxes/rocks.
Thanks, Paula
Paula Vennells
Chief Executive
Post Office Ltd
Sent from my iPad
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient, you must
not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in error, please contact
the sender by reply email and then delete this email from your system. Any views or opinions expressed within this email are solely
those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET, LONDON EC1V
9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or from
Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U 3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U 3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park Central, Hayes
End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull Parkway,
Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient, you must
not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in error, please contact
the sender by reply email and then delete this email from your system. Any views or opinions expressed within this email are solely
those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET, LONDON EC1V
9HQ.
SARI OIA ISO IO IIIA II II III III IIIA TI ASI ASIA IIIS SOI I OSS SISOS SISOS IIA