Thomas Penny
From: Jenkins Gareth Gl
Sent: 15 July 2010 13:34
To: Thomas Penny
Subject: RE: Duplicatation of Transaction Records in ARQ Returns
Penny,
FUJ00153132
FUJ00153132
Page 1 of 5
This look fine. Do you want me to pop up to sign it with you as a witness? I’m on a conf call for the next hour,
but can come up after that.
Regards
Gareth
Gareth Jenkins
Distinguished Engineer
Applications Architect
Royal Mail Group Account
FUJITSU
Lovelace Road, Bracknell, Berkshire, RG12 8SN
Tel — ¥
Mobile:
email
Web: _http://uk fujitsu.com
BH Phease consider the environment - do you really need to print this email?
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW.
This e-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu
Services does not guarantee that this email has not been intercepted and amended or that it is virusfree.
From: Thomas Penny
Sent: 15 July 2010 13:23
To: Jenkins Gareth GI
Subject: FW: Duplicatation of Transaction Records in ARQ Returns
Gareth
Please see note from Jon Longman. His addition to the statement relates directly to West Byfleet
Kind regards
Penny
Penny Thomas
Security Analyst, Customer Services
Fujilsu Services Retail & Royal Mail Group Account
Lovelace Road, Bracknell, Berks RG12 8SN
Tel:
Mob’
Fax
E-Mail’, penny.thomas,
16/07/2010
FUJ00153132
FUJ00153132
Page 2 of 5 ;
Web: _hitp://uk fujitsu.com
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22, Baker Street, London W1U 3BW
This E-mail is only for the use ofits intended recipient. ts contents are subject to a duty of confidence and may be privileged.
Fujitsu Services does not guarantee that:this E-mail has not been intercepted and amended or that it
From: John Longman [
Sent: 15 July 2010 13:03
To: Thomas.Penny
Subject: RE: Duplicatation of Transaction Records in ARQ Returns
Penny
Gareth’s statement is fine. It explains why the duplications occurred and most importantly of all it
confirms that it has no affect on Horizon’s accuracy. I have added an extra paragraph to tie it in with
the trial of Seema Misra and confirm that only ARQ447 has any duplications within the disc you
produced as PT/02.
The defence must be made aware of this issue and I would be grateful if a signed copy of the
statement could be sent to me direct.
Regards
Jon Longman
From: Thomas Penny
Sent: 15 July 2010 12:30
To: John Longman
Subject: FW: Duplicatation of Transaction Records in ARQ Returns
FYI
Penny Thomas
Security Analyst, Customer Services
Fujitsu Services Retail & Royal Mail Grow Account
Lovelace Road, Bracknell, Berks RG12 8SN
Tet
Mob:
Fax, Lowe
E-Mail: penny.thomas,-
Web: — hitp:/luk fyjtstreo
Fujitsu Services Limited, Registered in England:no 96056, Registered Office 22, Baker Street, London W1U 38W
This E-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged.
Fujitsu Services does not-guarantee that this E-mail has not been intercepted and amended or that itis virus-free.
From: Thomas Penny
Sent: 08 July 2010 14:52
To: ‘Mark Dinsdale’
Cc lan X Simpson; Jane M Owen
Subject: RE: Duplicatation of Transaction Records in ARQ Returns
Mark
Thank you for your note.
Please find attached our proposed witness statement for review.
Kind regards
Penny
Penny Thomas
Security Analyst, Customer Services
16/07/2010
FUJ00153132
FUJ00153132
Page 3 of 5
Fujitsu Services Retail & Royal Mail Group Account
Lovelace’Road, Bracknell, Berks RG12 BSN
Tel:
Mob:
Fax
E-Mail: penny thomas
Web: _hittp://uk.fujitsu.com
Fujilsu Services Limited, Registered in England no 96056, Registered Office 22, Baker Street, London W1U 3BW
This E-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged.
Fujitsu Services does not guarantee that this E-mail has not been intercepted and amended or that it is virus-free.
From: Mark Dinsdale
Sent: 07 July 2010 10:26
To: Thomas Penny
Cc: Alan X Simpson; Jane M Owen
Subject: FW: Duplicatation of Transaction Records in ARQ Returns
Penny, as discussed our legal team in principle are happy with this and have agreed that if yourselves
provide a witness statement covering your explanation below and additionally the following points
then the work-around gets the green light.
Juliet suggested the additional points to cover include, what are we doing about it, and over what
period did this anomaly occur (i.e. upon migration to HNGX). She also suggested that the witness
statement be completed by Gareth Jenkins, your expert witness.
Regards
Mark
From: Mark Dinsdale
Sent: 02 July 2010 15:31
To: Marilyn Benjamin; Juliet Mcfarlane
Cc: Jane M Owen
Subject: RE: Duplicatation of Transaction Records in ARQ Returns
Juliet, not sure if this will make total sense, I'm struggling a little.
We had a meeting with Penny from Fujitsu today in respect of a problem that has potentially being in
existence since January.
It appears that the audit data has a number of duplicate transactions contained within (live data is not
effected). It is potentially as a result of systems backing and re-checking itself up towards the close of
play as it only appears to affect data from around 16:40 until close.
The duplicate transactions have the same transaction number so can be readily identified, so there is
no danger of mistaking them for fraudulent duplicate transactions such as POCA duplicate
withdrawals. Unfortunately you may feel this works in favour of the defence as this may strengthen
claims as the question the integrity of Horizon.
This is a further comment provided by Penny Thomas to Alan Simpson (Info Sec)
The duplication of audited records has not, in any way, affected actual physical transactions recorded
on any counter.at any outlet. The duplication of records has occurred during the auditing process
when records were in the process of being recorded purely for audit purposes from the
correspondence servers to the audit servers. It should be noted that this duplication of data in the
audit stream has always been happening. However the Horizon retrieval process automatically
discarded duplicate records before creating the ARQ spreadsheets, while the current HNG-X retrieval
process for Horizon data does not do so.
Therefore I’m not sure of the course of action we should not take. My initial response was to request
that Fujitsu provide a witness statement to quantify the above that we could attach to each case (as
appropriate), and treat each case where this is not accepted individually.
16/07/2010
FUJ00153132
FUJ00153132
Page 4 of 5
Can you please offer any guidance as to what we should do. Fujitsu wil! not send any further ARQ
requests until we tell them that we are happy with the potential work-around or are able to come up
with another solution.
Regards
Mark Dinsdale
Security Programme Manager
Security Team, Post Office Ltd
Post Office Ltd, Security Team, Royal Mail, 3rd
Floor, Clippers House, Clippers Quay, Salford, M50
Confidential Information:
This email message is for the sole use of the
intended recipient(s) and may contain confidential
and privileged information. Any unauthorised
review, use, disclosure or distribution is prohibited.
If you are not the intended recipient please contact
me by reply email and destroy all copies of the
original message.
From: Thomas Penny f°
Sent: 30 June 2010 13733
To: Sue Lowther; Mark Dinsdale; Jane M Owen
Subject: Duplicatation of Transaction Records in ARQ Returns
Sue/Mark/Jane
We have identified that a number of recent ARQ returns contain duplicated transaction records.
With Horizon counters, the mechanism by which Data is audited has always worked on the principle
that it is acceptable to audit the same data more than once — in particular if in doubt as to whether or
not it has been previously audited successfully.
The Mechanism used on Horizon to retrieve the data took this into account and only presented one
instance of such duplicate data in the ARQ extracts,
However it has recently been noticed that the HNG-X retrieval mechanism does not remove such
duplicates and a quick scan of the ARQs provided to Post Office Ltd since the change to the new
system indicates that about 35% of the ARQs might contain some duplicate data. A Peak has been
raised to enhance the extraction toolset and remove such duplicate data in the future. However until
the fix is developed, tested and deployed, there is a possibility that data is duplicated.
The reliable way to identify a duplicate transaction is to use the <Num> attribute that is used to
16/07/2010
FUJ00153132
FUJ00153132
Page 5 of 5
generate the unique sequence numbers. This attribute is not currently included in the Excel version
of ARQ data that has been passed to Post Office Ltd in the past. This will be included in all future
ARQs until the problem is fixed. A workaround, using the <NUM> attribute is suggested, and a
detailed process is attached
Note that we have identified a scenario with Postal Services transactions where multiple, identical
mails items are accepted (ie the Quantity button is set to greater than 1), but Postage Labels are
printed for each individual item. This results in separate transactions being generated for each item,
which are identical in the ARQ extracts (there is another minor difference in the raw data apart from
the <Nurm> attribute, but this. different attribute is not currently included in the ARQ extract).
I've put together a spreadsheet detailing affected ARQs, which is also attached
Mark/Jane I've tried to call you both this morning but I understand you are both tied up. Please call
and we can discuss.
Kind regards
Penny/Tom
Penny Thomas Tom Lillywhite
Security Analyst, Customer Services Principal Security Consultant
Information & Security Services
Fujitsu Services Retail & Royal Mail Group Account
Lovelace Road, Bracknell, Berks RG12,.8SN
E-mail: tom lillywhite
Tet Tel
Mob: Mob
Fax
E-Mail
Web: —hitp://uk.fujitsucom
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22, Baker Streel, London W1U 3BW
This E-mail is only for the use of its intended recipient. its contents are subject to a duty of confidence and may be privileged.
Fujitsu Services does not guarantee that this E-mail has not been intercepted and amended or that itis virus-free.
Sihrnnnennnrniinneineniiinanstaniinisass+t Royal Mail Group Limited registered in
England and Wales registered number 4138203 registered office 3rd Floor, 100 Victoria
Embankment, London, EC4Y 0HQ This email and any attachments are confidential and intended for
the addressee only. If you are not the named recipient, you must not use, disclose, reproduce, copy
or distribute the contents of this communication. If you have received this in error, please contact the
sender and then delete this email from your system.
steneeeensnenesasnennennensnnnueentinenaeneannnnitanenteatiesneneste® Roval Mail Group Limited registered in
England and Wales registered number 4138203 registered office 3rd Floor, 100 Victoria
Embankment, London, EC4Y 0HQ This email and any attachments are confidential and intended for
the addressee only. If you are not the named recipient, you must not use, disclose, reproduce, copy
or distribute the contents of this communication. If you have received this in error, please contact the
sender and then delete this email from your system.
16/07/2010