FUJ00122522
FUJ00122522
Page I of 1
Thomas Penny \
Sent: 05 March 2008 10:31
~ POH -3797D
To: Lowther Neneh; Dunks Andy —
Ce: Sewell Peter (FELO1)
Subject: Updated Witness Statements
Attachments: Standard Fujitsu V7 .doc; Inactivity info V3.doc
Hi
I have updated the standard WS and left the attached copies in mark-up so you can see the changes. I have
accepted the changes on the WS heid on the PS directory.
Let me know if you have any queries.
Kind regards
Penny
Penny Thom:
Security Analyst, Customer Services
Fujitsu Services Retail & Royal Mail Group Account
Lovelace Road, Bracknell, Berks RG12 8SN
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22, Baker Street, London W1U 3BW _
‘This E-mail is only for the use of its intended recipient. tts contents are subject to a duty of confidence and may be privileged. Fujitsu
Services does not guarantee that this E-mail has not been intercepted and amended or that it Is virus-free.
05/03/2008
FUJ00122522
__FUJ00122522
Page I of 2
Thomas Penny
From: Jenkins Gareth GI
Sent: 08 February 2008 10:18
To: Thomas Penny
Subject: RE: WS Updates
Attachments: 8208.Penny's Standard Fujitsu V5 .doc; 8208.Additional event log data .doc
Penny,
Sorry it has taken a while, but I've finally got round to looking at them. I've added comments to two of them
(the other was fine).
I'm happy to come and talk it through with you when you're ready.
Regards
Gareth
Gareth Jenkins
Distinguished Engineer
Applications Architect
Royat Mail Group Account
FUJITSU
Lovelace Ros
Tel: i
Mobile:
email
Web: http:/uk fulitsu.com
ad, Bracknell, Berkshire, RG12 8SN
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW
This-e-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu
Services does not guarantee that this email has not been intercepted and amended or that it is virusfree.
From: Thomas Penny
Sent: 24 January 2008 09:13
To: Jenkins Gareth GI
Subject: RE: WS Updates
Thanks, Gareth. They are attached.
Penny
From: Jenkins Gareth GI
Sent: 24 January 2008 08:49
To: Thomas Penny
Subject: RE: WS Updates
Penny,
You very kindly agreed to review my witness statements back in the summer of last year and
18/02/2008
FUJ00122522
FUJ00122522
Page 2 of 2
I'd like to have them reviewed again, to make sure they are still correct. I know life is a bit
fraught at the moment but do you think you would be able.to help me again, say in the next
few weeks?
If you can help, I could either e-rnail them to you or, better still, perhaps we could spend half
an hour together.
Probably the simplest thing is if you email them to me and when I've had a chance to look through
them we can get together.
Regards
Gareth
Gareth Jenkins
Distinguished Engineer
Applications Architect
Royal Mail Group Account
FUJITSU
Lovelace Road, Bra
Tet:
Mobile:
Unternal!
qQ
A
(o)
I Interal:
email:
Web: http //uk.fujitsu.com
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW
This e-mail is only for the use of its intended recipient. its. contents are subject to a duty of confidence and may be
privileged. Fujitsu Services does not guarantee that this email has not been intercepted and amended or that it is virusfree.
18/02/2008
FUJ00122522
FUJ00122522
Witness Statement
(Cy Act 1967, 89; MC Act 1980, ss 5A(3)(2)
and 5B, MC Rules 1981, r70)
Statement of Penelope Anne Thomas
Age if under 18 Over 18 (if over 18 insert ‘over 18')
This statement (consisting of 2 pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Datedthe 29 dayof June 2008,
Signature
(Further to or I have been employed)
In January 2006 a change was made to the original extract query to include additional records from the
raw audit data. In particular this refined query now includes details of Inactivity Logouts, Authority Logouts
and Failed Logins. it should be noted that no changes were made to the original Audit data but just to the
selection of records from the Audit for presentation to Post Office Limited in the ARQ Spreadsheet.
Each Horizon counter has'two Inactivity timers set. The first one detects that nothing has happened at the
counter for 15 minutes and if triggered, causes the password screen to be displayed. In order to use the
terminal, the user must re-enter their password. This activity is not explicitly recorded in the raw data.
The second timer is triggered after 75 minutes of inactivity (ie one hour after the Password screen is
displayed). In this case, the following happens:
If the user was in the middle of a customer session (ie ‘stack’ has transactions in it), then the customer
session is settled to cash and a receipt printed. The transactions are recorded in the normal way. The
User is then logged out and a special message is written to the messagestore indicating that this has
happened. This is called an Inactivity Logoutand is captured in the Event Log...
owslkiy wu.
If a supersisor_(it needn't be a supervisor. Any user can go to a Locked terminal and enter thir own
Username and password. If it is NOT the original user this will result in the original user being forced to
logout _and any incomplete session will be settled to cash - as happens after the 75 minute inactivity
(Deleted: nom )
timeout) has closed down a counter this action is captured in the
Signature - Signature witnessed by
SONIA (Side A) Version 3.0 11/02
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
Out Authority’ where the supervisor's user name will be displayed
Ifa user, while entering their password to log in to the system types an error, the user is denied access
and this is called a failed login. This event is now captured in the Event Log and is recorded under
‘Security Event User’ where the user name will be displayed
The Event report is formatted with the following headings:
Groupid - Branch code
ID - relates to counter position
Date.— Date of transaction
Time - Time of transaction
User - Person Logged on to System
SU — Stock Unit
EPOSSTransaction.T — Event Description
EPOSSTransaction.Ti- Event Result
Type — Inactivity Logout noted
LogoutAuthority - User who logged out the account
SecurityEvent.User — User who failed to log in
The CD Exhibit PT/XX was sent to the Post Office Investigation section by Special Delivery on 29 June
2006.
There is no reason to believe that the information in this statement is inaccurate because of the improper
use of the computer. To the best of my knowledge and belief at all material times the computer was
operating ‘properly, or if not, any respect in which it was not operating properly, or was out of operation
was not such as to effect the information held on it. I hold a responsible position in relation to the working
of the computer. .
Any records to which I refer in my statement form part of the records relating to the business of Fujitsu
Services. These were compiled during the ordinary course of business from information supplied by
persons who have or may reasonably be supposed to have personal knowledge of the matter dealt with in
the information supplied, but are unlikely to have any recollection of the information or cannot be traced.
Signature Signature witnessed by
csomta Version 3.0 11/02
FUJ00122522
FUJ00122522
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, 9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
As part of my duties, I have.access to these records.
Signature Signature witnessed. by
Version 3.0 11/02
cso1ta
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, 59; MC Act 1980, ss 54(3)(a)
and 58, MC Rules 1981, r 70)
Statement of Penelope Anne Thomas
Age if under 18 Over 18 (If over 18 insert ‘over 18')
This statement (consisting of pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the day of 2008
Signature
I have been employed by Fujitsu Services, Post Office Account, formally ICL Pathway Ltd
since 20 January 2004 as an Information Technology (IT) Security Analyst responsible for audit
data extractions and IT Security. I have working knowledge of the computer system known as
Horizon, which is a computerised accounting system used by Post Office Ltd. I am authorised
by Fujitsu Services to undertake extractions of audit archived data and to obtain information
regarding system transactions recorded on the Horizon system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. This individual system records all transactions input by the
counter clerk working at that.counter position. Clerks log.on to the system by using their own
unique password. The transactions performed by each clerk, and the associated cash and
stock level information, are recorded by the computer system in a stock unit. Once logged on,
all transactions performed by the clerk must be recorded and entered on the computer and are
accounted for within the user's allocated stock unit.
The Horizon system provides a number of daily and weekly records of all transactions input
Signature Signature witnessed by
CSO11A (Side A) Version 5.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(Cu Act 1967, 59; MC Act 1980,-ss 5A(3)(a) and 8, MC Rules 1981, r70)
Continuation of statement of Penelope Anne Thomas
into it. It enables Post Office users to obtain computer summaries for individual clients of Post
Office Limited e.g. NetionakSasvifigs Bank (I think these reports have now been removed, but
they certainly used to exist) at Alliance & Leicester. The Horizon system also enables the
clerk to produce a periodic balance of cash and stock on hand combined with the other
transactions performed in that accounting period, known as a trading period.
user is presented with a parameter driven menu, which enables the report to be customised to
requirements. The report is then populated from transaction data that is held in the local
database and is printed out on the printer. The system also allows for information to be :
transferred to the main accounting department at Chesterfield in-erder for the-effice-accounts fey Co wt ero 6
to.be-balarced. Strictly the office accounts are balanced in the Office. What Chesterfield do is fo L Cmkroak
monitor wat is happening and look for unusual trends and amalgamate the accounts of the OQLLO AAs 1
individual offices to provide the overall accounts for Post Office Ltd and reconcile this with
Clients.
The Post Office counter processing functions are provided through a series of counter
applications: the Order Book Control Service (OBCS) that ascertained the validity of DWP.
order books before payment was made, this application ceased in June 2005; the Electronic
Point of Sale Service (EPOSS) that enables Postmasters to conduct general retail trade at the
counter and sell products.on behalf of their clients; the Automated Payments Service (APS)
which provides support for utility companies and others who provide incremental in-payment TAd ovrk POL ots.
APS now also supports out payments mechanisms based on the use of cards and other tokens
and the Logistics Feeder Service (LFS) which supports the management of cash and value
stock movements to and from the outlet, principally to minimise cash held overnight in outlets.
The counter desktop service. and the office platform service on which it runs provides various
common functions for transaction recording and settlement as well as user access control and
session management.
Information from counter transactions is written into a local database and then replicated
Signature Signature witnessed by
csoma, Version 6.0 08/05
FUJ00122522
FUJ00122522
Witness Statement \ :
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70) C a
Continuation of statement of Penelope Anne Thomas pest
automatically to databases onal ‘Other counters within a Post Office outlet. The information is
then forwarded over iSON (Integrated System Digital Network) or other communication service
Most branches now useIADSL™ ISN very UCI's MOT to databases on a set of central
Correspondence Servers at the Fujitsu Services data centres. This is undertaken by a
messaging transport system within the Transaction Management Service (TMS). Various
systems then transfer information to Central Servers that control the flow of information to
various support services. Details of outlet transactions are normally sent at least daily'via the
system. Details are then forwarded daily via a file transfer service to the Post Office accounting
department at Chesterfield and also, where appropriate, to other Post Office Clients.
An audit of all information handled by the TMS is taken daily by copying all new messages to
archive media. This creates a record of all original outlet transaction details including its origin
- outlet.and counter, when it happened, who caused it to happen and the outcome. The TMS
journal is maintained at each of the Fujitsu Services Data Centre sites and is created by
securely replicating all transaction records that occurred in every Outlet. They therefore provide
the ability to compare the audit track record of the same transaction recorded in two places to
verify that systems were operating correctly
Records of all transaction: rtoanditarchive media. I'm not happy with this last
sentence. It implies we compare the audit stream from Wigan and Bootle (which we don't!
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT - one hour earlier than local time (BST).
There was, however, one exception which related to the category of transactions ‘Transfer In’
Signature Signature witnessed by
esora, Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement \
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas’
where events recorded in the Transaction Logs, were shown in local time. This meant that
during the designated summer months ‘Transfer In‘ log entries were recorded in BST instead
of GMT and showed a one hour forward displacement in time from other transactions being
recorded in the logs. This anomaly was corrected during the winter months prior to BST 2005
since when ‘Transfer In’ log entries have been recorded in GMT, consistent with all other
transactions being recorded in the logs.
When information relating to individual transactions is requested, the data is extracted from the
audit archive media via the Audit Workstations (AW’s). Information is presented in exactly the
same way as the data held in the archive although it can be filtered depending upon the type of
information requested. The integrity of audit data is guaranteed at all times from its origination,
storage and retrieval to subsequent despatch to the requester. Controls have been
established that provide assurances to Post Office Internal Audit (POIA) that this integrity is
maintained. .
During audit data extractions the following controls apply :
1. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physical security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access within a secured Fujitsu Services site.
2. Logical access to the AW and its functionality is managed in accordance with the
Fujitsu Services, Post Office Account Security Policy and the principles of ISO 17799.
This includes dedicated Logins, password control and the:use-of Microsoft Windows NT
security features.
3. All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQ's), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
4. Extractions are only made by authorised individuals.
5. Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
Signature Signature witnessed by
cso Version 6.0 09/06
Witness Statement
(CJ Act 1967, 9; MC Act 1980, ss 58(3)(a) and 58, MC Rules 1981, 170)
Continuation of statement of Penelope Anne Thomas
details are checked and the printed request filed.
The required files are identified and marked using the dedicated audit tools.
Checksum seals are calculated for audit data files when they are written to audit
archive media and re-calculated when the files are retrieved.
8. To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
value calculated when the file was originally written to the audit archive media. The
result is maintained in a Check Seal Table.
9. The specific ARQ details are used to obtain the specific data.
10. The files are copied to the AW where they are.checked and converted into the file type
required by Post Office Ltd.
The requested information is copied onto removal CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail Special Delivery. This ensures
that a receipt is provided to Fujitsu Services confirming delivery. Isn't there a CP to
encrypt this data as well?
41
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the Post
Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as Exhibit .
(INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in accordance
with the requirements of ARQ(NUMBER) and followed the procedure outlined above. I
produce the resultant CD as Exhibit (INITIAL/NUMBER). This CD, Exhibit (INITIAL/NUMBER),
was sent to the Post Office Investigation section by Special Delivery on (DATE).
The report is formatted with the following headings:
ID — relates to counter position
User — Person Logged on to System
SU — Stock Unit
Date — Date of transaction
Time — Time of transaction
Signature Signature witnessed by
sorta Version 6.0 09/06
FUJ00122522
FUJ00122522
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, 59; MC Act 1980, ss 6A(3)(a) and 58, MC Rules 1987, r 70)
Continuation of statement of Penelope Anne Thomas
Sessionid — A unique string relating to current customer session
Txnid — A unique string relating to current transaction
Mode ~ e.g. SC which translates to Serve Customer
ProductNo — Product Item Sold
Qty — Quantity of items sold
SaleValue — Value of items sold
Entry method - Method of data capture for. Transactions (0 = barcode,.1 = manually '
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
State — Methed-otmantratkeyed Entry Method, Not sure about this. However only pak by ORCS.
relevant to OBCS which is pretty dead
IOP - Order Book Number-OBCS only
Result — Order Book Transaction Result OBCS only
Foreign Indicator — indicates whether OBCS payment was made at a local or foreign
outlet (0- Local, 1- Foreign). The foreign indicator defaults to a ‘0’ for all manually
entered transactions. OBCS only. Net tastes
The Event report is formatted with the following headings:
Groupid — FAD code
ID — relates to counter position
Date — Date of transaction
Time — Time of transaction
User — Person Logged on to System
SU — Stock Unit
EPOSSTransaction.T - Event Description
EPOSSTransaction.Ti - Event Result
(FOR DATE PROVIDED WEF 24 JANUARY 2006 (From ARGEE2GRS; INGLUDA
[n danuary 2006 @ change was made to the ariginel edragl query ip Indlude addiienal
[ecgrds Ton (ihe raw quot date. ih parinuiat, thie refined query now inedides deiatie of
iy gous, Aus quiz aad f ei. iit hat ng
Signature Signature witnessed by
sorta, Version 6.0 08/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
Eines were muta fo The original Audit data but fist to he selection of records fram]
{he Auditor presentation ts Post Ofice Lined in the ANG Spreadsheet, ARCs LICH
[eset Authority - User whe leaged out the toa cir)
Reaintaivcnt User - lect win taled t ip
There is no reason to believe that the information in this statement is inaccurate because of
the improper use of the computer. To the best of my knowledge and belief at all material times
the computer was operating properly, or if not, any respect in which it was not operating
properly, or was out of operation was not such as to effect the information held on it.
Any records to which I refer in my statement form part of the records relating to the business of
Fujitsu Services. These were compiled during the ordinary course of business from
information supplied by persons who have, or may reasonably be supposed to have, personal
knowledge of the matter dealt with in the information supplied, but are unlikely to have any
recollection of the information or cannot be traced. As part of my duties, I have access to
these records.
Signature Signature witnessed by
csotta Version 6'0 0906
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
and 5B, MC Rules 1981, r 70)
Statement of
Age if under 18 Over 18 (If over 18 insert 'over 18")
This statement (consisting of I pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the - day of 2006
Signature
I have been employed by Fujitsu Services, Post Office Account, formally ICL Pathway Ltd
since DATE as an Information Technology (IT) Security Analyst responsible for audit data
extractions and IT Security. I have working knowledge of the computer system known as
Horizon, which is a computerised accounting system used by Post Office Ltd. I am authorised
by Fujitsu Services to undertake extractions of audit archived data and to obtain information
regarding system transactions recorded on the Horizon system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. This individual system records all transactions input by'the
counter clerk working at that counter position. Clerks log on to the system by using their own
unique password. The transactions performed by each clerk, and the associated cash and
stock level information, are recorded by the computer system in a stock unit. Once logged on,
all transactions performed by the clerk must be recorded and entered on the computer and are
accounted for within the user's allocated stock unit.
The Horizon system provides a number of daily and weekly records of all transactions input
Signature Signature witnessed by
CS011A (Side A) Version 6.0 08/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
into it. It enables Post Office users to obtain computer summaries for individual clients of Post
Office Limited e.g. National Savings Bank and Alliance & Leicester. The Horizon system also
enables the clerk to produce a periodic balance of cash and stock on hand combined with the
other transactions performed in that accounting period, known as a trading period.
Where local reports are required these are accessed from an icon on the desktop menu. The
user is presented with a parameter driven menu, which enables the report to be customised to
requirements. The report is then populated from transaction data that is held in the local
database and is printed out on the printer. The system also allows for information to be
transferred to the main accounting department at Chesterfield in order for the office accounts
to be balanced.
The Post Office counter processing functions are provided through a series of counter
applications: the Order Book Control Service (OBCS) that ascertained the validity of DWP
order books before payment was made, this application ceased in June 2005; the Electronic
Point of Sale Service (EPOSS) that enables Postmasters to conduct general retail trade at the
counter and sell products on behalf of their clients; the Automated Payments Service (APS)
which provides support for utility companies and others who provide incremental in-payment
mechanisms based on the use of cards and other tokens and the Logistics Feéder Service
(LFS) which supports the management of cash and value stock movements to and from the
outlet, principally to minimise cash held overnight in outlets. The counter desktop service and
the office platform service on which it runs provides various common functions for transaction
recording and settlement as well as user access control and session management.
Information from counter transactions is written into a local database and then replicated
automatically to databases on all other counters within a Post Office outlet. The information is
then forwarded over ISDN (Integrated System Digital Network) or other communication service,
to databases on a set of central Correspondence Servers at the Fujitsu Services data centres.
This is undertaken by a messaging transport system within the Transaction Management
Service (TMS). Various systems then transfer information to Central Servers that control the
Signature Signature witnessed by
cSOt1A Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
flow of information to various support services. Details of outlet transactions are normally sent
at least daily via the system. Details are then forwarded daily via a file transfer service to the
Post Office accounting department at Chesterfield and also, where appropriate, to other Post
Office Clients.
An audit of all information handled by the TMS is taken daily by copying all new messages to
archive media. This creates a record of all original outlet transaction details including its origin
- outlet and counter, when it happened, who caused it to happen and the outcome. The TMS
journal is maintained at each of the Fujitsu Services Data Centre sites and is created by
securely replicating all transaction records that occurred in every Outlet. They therefore provide
the ability to compare the audit track record of the same transaction recorded in two places to
verify that systems were operating correctly. All exceptions are investigated and reconciled.
Records of all transactions are written to audit archive media.
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally ‘the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT — one hour earlier than local time (BST).
There was, however, one exception which related to the category of transactions ‘Transfer In’
where events recorded in the Transaction Logs, were shown in local time. This meant that
during the designated summer months ‘Transfer In’ log entries were recorded in BST instead
of GMT and showed a one hour forward displacement in time from other transactions being
recorded in the logs. This anomaly was corrected during the winter months prior to BST 2005
since when ‘Transfer In’ log entries have been recorded in GMT, consistent with all other
transactions being recorded in the logs.
Signature Signature witnessed by
CSO1IA Vetsion 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
When information relating to individual transactions is requested, the data is extracted from the
audit archive media via the Audit Workstations (AW’s). Information is presented in exactly the
same way as the data held in the archive although it can be filtered depending upon the type of
information requested. The integrity of audit data is guaranteed at all times from its origination,
storage and retrieval to subsequent despatch to the requester. Controls have been
established that provide assurances to Post Office Internal Audit (POIA) that this integrity is
maintained.
During audit data extractions the following controls apply :
4. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physical security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access within a secured Fujitsu Services site.
2. Logical access to the AW and its functionality is managed in accordance with the
Fujitsu Services, Post Office Account Security Policy and the principles of ISO 17799.
This includes dedicated Logins, password control and the use of Microsoft Windows NT
security features.
3. All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQ’s), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
4. Extractions are only made by authorised individuals.
Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
Checksum seals are calculated for audit data files when they are written to audit
archive media and re-calculated when the files are retrieved.
8. To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
Signature Signature witnessed by
CSO11A Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
11
value calculated when the file was originally written to the audit archive media. The
result is maintained in a Check Seal Table.
The specific ARQ details are used to obtain the specific data.
. The files are copied to the AW where they are checked and converted into the file type
required by Post Office Ltd
The requested information is copied onto removal CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail Special Delivery. This ensures
that a receipt is provided to Fujitsu Services confirming delivery.
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the Post
Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as Exhibit
(INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in accordance
with the requirements of ARQ(NUMBER) and followed the. procedure outlined above. I
produce the resultant CD as Exhibit (INITIAL/NUMBER). This CD, Exhibit (INITIAL/NUMBER),
was sent to the Post Office Investigation section by Special Delivery on (DATE).
The report is formatted with the following headings:
ID — relates to counter position
User — Person Logged on to System
SU — Stock Unit
Date — Date of transaction
Time — Time of transaction
Sessionld — A unique string relating to current customer session
Txnid — A unique string relating to current transaction
Mode — e.g. SC which translates to Serve Customer
ProductNo — Product Item Sold
Qty — Quantity of items sold
SaleValue — Value of items sold
Entry method - Method of data capture for Transactions (0 = barcode, 1 = manually
Signature Signature witnessed by
CSO11A
Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
State — Method of manual keyed Entry Method.
1OP - Order Book Number
Result — Order Book Transaction Result
Foreign Indicator — Indicates whether OBCS payment was made at a local or foreign
outlet (0- Local, 1- Foreign). The foreign indicator defaults to a ‘0’ for all manually
entered transactions.
The Event report is formatted with the following headings:
Groupid — FAD code
ID — relates to counter position
Date — Date of transaction
Time — Time of transaction
User — Person Logged on to System
SU — Stock Unit
EPOSStTransaction.T — Event Description
EPOSSTransaction.Ti — Event Result
FFOR MULTTELE DATA IVIVED BOTH °
[FROM ARGSETURIG) INC LURE THE FOV
PROVIBED WEF 24 JANUAl
UT INCLUBET
fn Jariuery 2006 2 change was made ty the dighel eweet query tp include additensI
fecarde trom the raw sud date. in periicuiar, thie refined query now inekwee Gately of
[naetivity Legouts, Autherty Loqsule and Falied Logins [tsheuld be neted thet nd
LPUER 28
Logaut Authority — User who logaed oun ths socdund
Signature Signature witnessed by
cSo11A Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC .Rules-1981, r 70)
Continuation of statement of
SgomiiyE veri. ther — Usor wns pad to leg
There is no reason to believe that the information in this statement is inaccurate because of
the improper use of the computer. To the best of my knowledge and belief at all material times
the computer was operating properly, or if not, any respect in which it was not operating
properly, or was out of operation was not such as to effect the information held on it.
Any records to which I refer in my statement form part of the records relating to the business of
Fujitsu Services. These were compiled during the ordinary course of business from
information supplied by persons who have, or may reasonably be supposed to have, personal
knowledge of the matter dealt with in the information supplied, but are unlikely to have any
recollection of the information or cannot be traced. As part of my duties, I have access to
these records
Signature " Signature witnessed by
cso11A, Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
and 58, MC Rules 1981, r70)
Statement of Penelope Anne Thomas
Age if under 18 Over 18 (If over 18 insert ‘over 18')
This statement (consisting of pages each signed by. me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the day of 2007
Signature
I have been employed by Fujitsu Services, Post Office Account, formally ICL Pathway Ltd
since 20 January 2004 as an Information Technology (IT) Security Analyst responsible for audit
data extractions and IT Security. I have working knowledge of the computer system known as
Horizon, which is-a computerised accounting system used by Post Office Ltd. I am authorised
by Fujitsu Services to undertake extractions of audit archived data and to obtain information
regarding system transactions recorded on the Horizon system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the-technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. This individual system records all transactions input by the
counter clerk working at that counter position. Clerks log on to the system by using their own
unique password. The transactions performed by each clerk, and the associated cash and
stock level information, are recorded by the computer system in a stock unit. Once logged on,
all transactions performed by the clerk must be recorded and entered on the computer and are
accounted for within the user's allocated stock unit
The Horizon system provides a number of daily and weekly records of all transactions input
Signature Signature witnessed by
CS011A (Side A) Version 5.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
into it. It enables Post Office users to obtain computer summaries for individual clients of Post
Office Limited e.g. National Savings Bank and Alliance & Leicester. The Horizon system also
enables the clerk to produce a periodic balance of cash and stock on hand combined with the
other transactions performed in that accounting period, known as a trading period.
Where local reports are required these are accessed from an icon on the desktop menu. The
user is presented with a parameter driven menu, which enables the report to be customised to
requirements. The report is then populated from transaction data that is held in the local
database and is printed out on the printer. The system also allows for information to be
transferred to the main accounting department at Chesterfield in order for the office accounts
to be balanced.
The Post Office counter processing functions are provided through a series of counter
applications: the Order Book Control Service (OBCS) that ascertained the validity of DWP
order books before payment was made, this application ceased in June 2005; the Electronic
Point of Sale Service (EPOSS) that enables Postmasters to conduct general retail trade at the
counter and sell products on behalf of their clients; the Automated Payments Service (APS)
which provides support for utility companies and others who provide incremental in-payment
mechanisms based on the use of cards and other tokens and the Logistics Feeder Service
(LFS) which supports the management of cash and value stock movements to and from the
outlet, principally to minimise cash held overnight in outlets. The counter desktop service and
the office platform service on which it runs provides various common functions for transaction
recording and settlement as well as user access control and session management.
Information from counter transactions is written into a local database and then replicated
automatically to databases on all other counters within a Post Office outlet. The information is
then forwarded over ISDN (Integrated System Digital Network) or other communication service,
to databases on a set of central Correspondence Servers at the Fujitsu Services data centres.
This is undertaken by a messaging transport system within the Transaction Management
Service (TMS). Various systems then transfer information to Central Servers that control the
Signature Signature witnessed by
CSO11A Version 6.0 09/08
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
flow of information to various support services. Details of outlet transactions are normally sent
at least daily via the system. Details are then forwarded daily via a file transfer service to the
Post Office accounting department at Chesterfield and also, where appropriate, to other Post
Office Clients.
An audit of all information handled by the TMS is taken daily by copying all new messages to
archive.media. This creates a record of all original outlet transaction details including its origin
- outlet and counter, when it happened, who caused it to happen and the outcome. The TMS
journal is maintained at each of the Fujitsu Services Data Centre sites and is created by
securely replicating all transaction records that occurred in every Outlet. They therefore provide
the ability to compare the audit track record of the same transaction recorded in two places to
verify that systems were operating correctly. All exceptions are investigated and reconciled.
Records of all transactions are written to audit archive media.
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT — one hour earlier than local time (BST).
There was, however, one exception which related to the category of transactions ‘Transfer In’
where events recorded in the Transaction Logs, were shown in local time. This meant that
during the designated summer months ‘Transfer In’ log entries were recorded in BST instead
of GMT and showed a one hour forward displacement in time from other transactions being
recorded in the logs. This anomaly was corrected during the winter months prior to BST 2005
since when ‘Transfer In’ log entries have been recorded in GMT, consistent with all other
transactions being recorded in the logs.
Signature Signature witnessed by
CSO11A Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
When information relating to individual transactions is requested, the data is extracted from the
audit archive media via the Audit Workstations (AW’s). Information is presented in exactly the
same way as the data held in the archive although it can be filtered depending upon the type of
information requested. The integrity of audit data is guaranteed at all times from its origination,
storage and retrieval to subsequent despatch to the requester. Controls have been
established that provide assurances to Post Office Internal Audit (POIA) that this integrity is
maintained.
During audit data extractions the following controls apply :
1.. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physical security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access within a secured Fujitsu Services site.
2. Logical access to the AW and its functionality is managed in accordance with the
Fujitsu Services, Post Office Account Security Policy and the principles of ISO 17799.
This includes dedicated:Logins, password control and the use of Microsoft Windows NT
security features.
3. All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQ’s), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
Extractions are only made by authorised individuals.
Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
Checksum seals are calculated for audit data files when they are written to audit
archive media and re-calculated when the files are retrieved.
8. To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
Signature Signature witnessed by
cSO11A Version 6.0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC-Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
11.
value calculated when the file was originally written to the audit archive media. The
result is maintained in a Check Seal Table.
The specific ARQ details are used to obtain the specific data
. The files are copied to the AW where they are checked and converted into the file type
required by Post Office Ltd.
The requested information is copied onto removal CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail Special Delivery. This ensures
that a receipt is provided to Fujitsu Services confirming delivery.
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the Post
Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as Exhibit
(INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in accordance
with the requirements of ARQ(NUMBER) and followed the procedure outlined above. I
produce the resultant CD as Exhibit (INITIAL/NUMBER). This CD, Exhibit (INITIAL/NUMBER),
was sent to the Post Office Investigation section by Special Delivery on (DATE).
The report is formatted with the following headings:
ID — relates to counter position
User — Person Logged on to System
SU — Stock Unit
Date — Date of transaction
Time — Time of transaction
Sessionld — A unique string relating to current customer session
Txnid — A unique string relating to current transaction
Mode — e.g. SC which translates to Serve Customer
ProductNo — Product Item Sold
Qty — Quantity of items sold
SaleValue — Value of items sold
Entry method - Method of data capture for Transactions (0 = barcode, 1 = manually
Signature Signature witnessed by
CSOtIA
Version 6.0 09/08
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
State — Method of manual keyed Entry Method.
IOP - Order Book Number
Result — Order Book Transaction Result
Foreign Indicator — Indicates whether OBCS payment was made at a local or foreign
outlet (0- Local, 1- Foreign). The foreign indicator defaults to a ‘0’ for all manually
entered transactions.
The Event report is formatted with the following headings:
Groupid — FAD code
ID — relates to counter position
Date — Date of transaction
Time — Time of transaction
User — Person Logged on to System
SU — Stock Unit
EPOSSTransaction.T — Event Description
EPOSSTransaction.Ti — Event Result
(FSR DATA PROVIDED WEE 24 JANUARY 2006 dren ARQSE2/9896) INCLUDY
THE POLLOWINGI
[ndsnuary 2006 2 change wes made to the original extract guery fo fneluse deter
g. ltaheuld te noted fatag
ut det th tite selection of reeorde (ran
[ractivity Logeuts, Autiarty Toate and Fa%
Efisnges were made fo the ariginel Audit date.
fhe Audit tor presentation te Pest Giiee tunnted in tie ARG Soreectsly
5 ascour]
ent. User — Seer wits iied to fog
Signature Signature witnessed by
cso11A Version 6:0 09/06
FUJ00122522
FUJ00122522
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B,.MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
There is no reason to believe that the information in this statement is inaccurate because of
the improper use of the computer. To the best of my knowledge and belief at all material times
the computer was operating properly, or if not, any respect in which it was not operating
properly, or was out of operation was not such as to effect the information held on it.
Any records to which I refer in my statement form part of the records relating to the business of
Fujitsu Services. These were compiled during the ordinary course of business from
information supplied by persons who have, or may reasonably be supposed to have, personal
knowledge of the matter dealt with in the information supplied, but are unlikely to have any
recollection of the information or cannot be traced. As part of my duties, I have access to
these records.
Signature Signature witnessed by
CSO11A Version 6.0 09/06