FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
and 5B, MC Rules 1981, r 70)
Statement of Penelope Anne Thomas
Age if under 18 Over 18 (If over 18 insert ‘over 18')
This statement (consisting of I pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the day of 2009
Signature
I have been employed by Fujitsu Services, Post Office Account, formally ICL Pathway Ltd
since 20 January 2004 as an Information Technology (IT) Security Analyst responsible for
audit data extractions and IT Security. I have working knowledge of the computer system
known as Horizon, which is a computerised accounting system used by Post Office Ltd. I am
authorised by Fujitsu Services to undertake extractions of audit archived data and to obtain
information regarding system transactions recorded on the Horizon system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. This individual system records all completed transactions
input by the counter clerk working at that counter position. Clerks log on to the system by
using their own unique password. The transactions performed by each clerk, and the
associated cash and stock level information, are recorded by the computer system in a stock
unit. Once logged on, all completed transactions performed by the clerk must be recorded and
entered on the computer and are accounted for within the user's allocated stock unit.
The Horizon system provides a number of daily and weekly records of all completed
transactions input into it. It enables Post Office users to obtain computer summaries for
Signature Signature witnessed by
CSO11A (Side A) Version 7.0 0308
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
individual clients of Post Office Limited e.g. Alliance & Leicester. The Horizon system also
enables the clerk to produce a periodic balance of cash and stock on hand combined with the
other transactions performed in that accounting period, known as a trading period.
Where local reports are required these are accessed from a button on the desktop menu.
The user is presented with a parameter driven menu, which enables the report to be
customised to requirements. The report is then populated from transaction data that is held in
the local database and is printed out on the printer. The system also allows for information to
be transferred to the main accounting department at Chesterfield.
The Post Office counter processing functions are provided through a series of counter
applications: the Order Book Control Service (OBCS) that ascertained the validity of DWP
order books before payment was made, this application ceased in June 2005; delete this for
data post June 05 the Electronic Point of Sale Service (EPOSS) that enables Postmasters to
conduct general retail trade at the counter and sell products on behalf of their clients; the
Automated Payments Service (APS) which provides support for utility companies and others
who provide incremental in and out payment mechanisms based on the use of cards and
other tokens and the Logistics Feeder Service (LFS) which supports the management of cash
and value stock movements to and from the outlet, principally to minimise cash held overnight
in outlets. The counter desktop service and the office platform service on which it runs
provides various common functions for transaction recording and settlement as well as user
access control and session management.
Information from counter transactions is written into a local database and then replicated
automatically to databases on all other counters within a Post Office outlet. The information is
then forwarded over ADSL (Asymmetric Digital Subscriber Line) or other communication
service, to databases on a set of central Correspondence Servers at the Fujitsu Services data
centres. This is undertaken by a messaging transport system within the Transaction
Management Service (TMS). Various systems then transfer information to Central Servers
that control the flow of information to various support services. Details of outlet transactions
Signature Signature witnessed by
csot1A, Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
are normally sent at least daily via the system. Details are then forwarded daily via a file
transfer service to the Post Office accounting department at Chesterfield and also, where
appropriate, to other Post Office Clients.
An audit of all information handled by the TMS is taken daily by copying all new messages to
archive media. This creates a record of all completed outlet transaction details including its
origin - outlet and counter, when it happened, who caused it to happen and the outcome. The
TMS journal is maintained at each of the Fujitsu Services Data Centre sites and is created by
securely replicating all completed transaction records that occurred in every Outlet. They
therefore provide the ability to compare the audit track record of the same transaction
recorded in two places to verify that systems were operating correctly. Records of all
transactions are written to audit archive media.
With Horizon counters, the mechanism by which Data is audited has always worked on the principle that
itis acceptable to audit the same data more than once — in particular if in doubt as to whether or not it
has been previously audited successfully. The Mechanism used on Horizon to retrieve the data took this
into account and only presented one instance of such duplicate data in the ARQ extracts.
In January 2010 a new HNG-X application was introduced to filter transaction records for presentation to
Post Office Limited. It has recently been noticed that this HNG-X retrieval mechanism does not remove
such duplicates. An enhancement to the extraction toolset will be developed, tested and deployed and
will remove such duplicate data in the future. However until this enhancement is deployed, there is a
possibility that data is duplicated. The reliable way to identify a duplicate transaction is to use the
<Num> attribute that is used to generate the unique sequence numbers. This will be included in all
future transaction record returns until the retrieval mechanism is enhanced. A semi-automated process
to copy the returned data, and then to identify and remove any duplicated records which may be present
from this copy by using the <NUM> attribute, has been agreed with Post Office Limited for use in the
interim period.
It is emphasised that the duplication of audited records has not, in any way, affected actual physical
transactions recorded on any counter at any outlet. The duplication of records has occurred during the
auditing process when records were in the process of being recorded purely for audit purposes from the
correspondence servers to the audit servers.
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
Signature Signature witnessed by
csot1A Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT — one hour earlier than local time (BST).
transactions being recorded in the logs. — Delete this for data post Oct 2004.
When information relating to individual transactions is requested, the data is extracted from
the audit archive media via the Audit Workstations (AWs). Information is presented in exactly
the same way as the data held in the archive although it can be filtered depending upon the
type of information requested. The integrity of data retrieved for audit purposes is guaranteed
at all times from the point of gathering, storage and retrieval to subsequent despatch to the
requester. Controls have been established that provide assurances to Post Office Internal
Audit (POIA) that this integrity is maintained.
During audit data extractions the following controls apply :
1. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physical security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access within a secured Fujitsu Services site.
2. Logical access to the AW and its functionality is managed in accordance with the
Fujitsu Services, Post Office Account Security Policy and the principles of ISO 17799.
This includes dedicated Logins, password control and the use of Microsoft Windows
Signature Signature witnessed by
csot1A, Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
NT security features.
All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQs), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
Extractions are only made by authorised individuals.
Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
7. Checksum seals are calculated for audit data files when they are written to audit
11.
12.
13.
archive media and re-calculated when the files are retrieved.
To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
value calculated when the file was originally written to the audit archive media. The
result is maintained in a Check Seal Table.
The specific ARQ details are used to obtain the specific data.
. The files are copied to the AW where they are checked and converted into the file type
required by Post Office Ltd.
An automated macro has been developed to search for and identify duplicate
records based on the <NUM> field. Duplicated records are removed and an
additional worksheet is created; the <NUM> field is also removed from this
worksheet, providing POL with BAU records. The original worksheet, including
any duplicated records identified and the <NUM> field, is retained in the
workbook, providing a full audit trail
Windows Events generated by the counters within the branch/timeframe in question
are checked to ensure the counters were functioning correctly.
The requested information is copied onto removal CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail Special Delivery. This ensures
that a receipt is provided to Fujitsu Services confirming delivery.
Signature Signature witnessed by
csot1A
Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the
Post Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as
Exhibit (INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in
accordance with the requirements of ARQ(NUMBER) and followed the procedure outlined
above. I produce the resultant CD as Exhibit (INITIAL/NUMBER). This CD, Exhibit
(INITIAL/NUMBER), was sent to the Post Office Investigation section by Special Delivery on
(DATE).
The report is formatted with the following headings:
ID — relates to counter position
User — Person Logged on to System
SU — Stock Unit
Date — Date of transaction
Time — Time of transaction
Sessionld — A unique string relating to current customer session
Txnld — A unique string relating to current transaction
Mode — e.g. SC which translates to Serve Customer
ProductNo — Product Item Sold
Qty — Quantity of items sold
SaleValue — Value of items sold
Entry method - Method of data capture for Transactions (0 = barcode, 1 = manually
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
State — Relates to OBCS
IOP - Order Book Number — OBCS only
Result — Order Book Transaction Result - OBSC only
Foreign Indicator — Indicates whether OBCS payment was made at a local or foreign
outlet (0- Local, 1- Foreign). The foreign indicator defaults to a ‘0’ for all manually
entered transactions - OBCS only
The Event report is formatted with the following headings:
Signature Signature witnessed by
csot1A, Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
Groupid —- FAD code
ID — relates to counter position
Date — Date of transaction
Time — Time of transaction
User — Person Logged on to System
SU - Stock Unit
EPOSStTransaction.T — Event Description
EPOSSTransaction.Ti — Event Result
(FOR MULTIPLE DATA PROVIDED BOTH BEFORE AND AFTER 24 JANUARY 2006
(FROM ARQ562/0506) INCLUDE THE FOLLOWING PARAGRAPH. FOR DATA
PROVIDED WEF 24 JANUARY 2006 AND FROM ARQ562/0506 DELETE THIS PARA
BUT INCLUDE THE ADDITIONAL HEADINGS BELOW )
There is no reason to believe that the information in this statement is inaccurate because of
the improper use of the system. To the best of my knowledge and belief at all material times
the system was operating properly, or if not, any respect in which it was not operating
properly, or was out of operation was not such as to effect the information held within it.
Any records to which I refer in my statement form part of the records relating to the business
of Fujitsu Services. These were compiled during the ordinary course of business from
Signature Signature witnessed by
csot1A Version 9.0 0209
FUJ00122904
FUJ00122904
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of Penelope Anne Thomas
information supplied by persons who have, or may reasonably be supposed to have, personal
knowledge of the matter dealt with in the information supplied, but are unlikely to have any
recollection of the information or cannot be traced. As part of my duties, I have access to
these records.
Signature Signature witnessed by
csot1A Version 9.0 0209
FUJ00122904
FUJ00122904
Track Changes
1 Insert Penny Thomas, 07/07/2010 09:05 AM
2 Insert Penny Thomas, 07/07/2010 07:42 AM
3 Insert Penny Thomas, 07/07/2010 07:57 AM