FUJ00162078
FUJ00162078
From: Gareth Jenkins:
Sent:
To:
Christopher.Ja\
Legal.Defence/
Ce: ‘Andrew Parsons
ParkerSPi” ‘Emma Campbell-
Daneshf7 77
Subject: RE: Injecting transactions - urgent [WBDUK-AC.F1D27032497]
Attachment: RE: Injecting transactions - urgent [WBDUK-AC.FID27032497] (78.3 KB)
IMPORTANT - This email or attached documents contains legal advice (or relates to litigation or anticipated litigation) and is being provided in
circumstances for which Legal Privilege may be claimed. Do not copy or forward this document without permission.
Hi Jonny,
Dave’s email doesn’t include my specific responses that I prepared on Friday.
These are in the attached email. Note that the comments I made on Saturday were meant as clarification to my note
on Friday.
Hopefully it all makes sense.
Best wishes
Gareth
From: Dave.Ibbett_
Sent: 11 February 2019 0
To: Jonathan Gribbert
Parkers!
Subject:
ting transactions - urgent [WBDUK-AC.FID27032497]
Hi Jonny,
Please see below from Gareth over the weekend. Matthew supplied Gareth some documentation to go through
resulting in the detail below.
I’ve had a quick scan and they confirm the following:
1. All AP Transactions in Old Horizon were digitally signed at the counter and so cannot be spoofed by SSC
2. All Banking Transactions are digitally signed at the counter and so cannot be spoofed by SSC
3. (NBall transactions are digitally signed in HNG-X so spoofing can’t happen).
That means that the only transactions that could possibly be injected by SSC to benefit them (as opposed to re-
injecting copies of missing transactions that have been recovered) are EPOSS Transactions, which mean Giro Deposits
and Manual Banking Deposits.
Regards,
FUJ00162078
FUJ00162078
Dave
From: Jonathan Gribben!_
Sent: 10 February 2019 2:
To: Gareth Jenkins {
I Newsome, Pete 3; Jay, Christopher
Defence Legal (Chris Jay,)
} Ibbett,
Lucy Bremner
Parker, Stevi mma Campbell-Daneshi
Subject: RE: Injecting transactions - urgent [WBDUK-AC.FID27032497]
Evening all,
Please would you let me know when we can expect to receive Fu's response to my email below. We need to issue the
letter to Freeths ASAP this week as we are in Court for a pre trial review on Thursday.
Many thanks
Jonny
Jonathan Gribben
Managing Associate
Womble Bond Dickinson (UK) LLP
di:
m
t
e
Stay informed: sign up to our e-alerts
womblebonddickinson.com
DICKINSON y ©
From: Gareth Jenkins GRO Hf
Sent: 07 February 2019 16:26 .
To: Jonathan Gribben; pete.newsome' Christopher.Jay}
Cc: Andrew Parsons; Dave. Ibbett! icy Bremner; ParkerSi
Subject: RE: Injecting transactions - urgent [WBDUK-AC.FID27032497]
Hi,
I’ve received mine and commented to others in Fujitsu. I assume that someone will forward a consolidated set of
comments to you.
Best wishes
Gareth
FUJ00162078
FUJ00162078
From: Jonathan Gribben
Sent: 07 February 2019
To: Gareth Jenkins,
Legal.Defencd”
Cc: Andrew Parson:
Lucy Bremner
Subject: RE: Injecting transactions - urgent [WBDUK-AC.FID27032497]
Gareth, Pete, Chris and Dave,
Please confirm whether or not you received my email below. I re-sent it with the attachments split across two emails
as the first one bounced back.
Kind regards
Jonny
Jonathan Gribben
Managing Associate
Womble Bond Dickinson (UK) LLP.
ie
Stay informed: sign up to our e-alerts
womblebonddickinson.com
~ DICKINSON Ain)
From: Jonathan Gribben
Sent: 06 February 2019 20:01
To: ‘Gareth Jenkins’; ‘
_$ Lucy Bremner; 'ParkerSP:__
IK-AC.FID27032497]
Dear all,
Privileged & Confidential — please do not forward
Apologies in advance for the length of this email.
Exec Summary
Paragraph 35 of Steve's second statement is not entirely correct. We have been looking into this subject further and
below is a summary of our investigation.
FUJ00162078
FUJ00162078
We need to send Freeths a letter to clarify the correct position. I have summarised the key points and set out some
questions below along with a summary of our investigation. Please would you review those let me know the
responses/whether anything is incorrect by midday tomorrow. Once this has been done we will draft a letter to Freeths
correcting the position that we will ask you to review and confirm before it is issued.
Summary of key points/questions
Key points:-
e Post Office offered personal banking (manual) for a number of institutions from the introduction of Horizon;
e it would have been possible for a rogue SSC employee to inject a cash deposit into their personal banking
account;
* acustomer's account would not be credited until the paper deposit slip reached the relevant financial
institution (need to confirm this for Girobank), so the rogue SSC employee would not benefit from injecting a
transaction because there would be no corresponding paper deposit slip (query whether a TC would be issued
due to the absence of the paper deposit slip);
¢ — online banking transactions were introduced in 2003 and Gareth does not know if it would even be possible to
get around the encryption issues that would be present if someone tried to insert an "automated" transaction;
and
e there are some other transactions that the rogue SSC employee could have injected — for manual transactions
there may be a paper trail (TBC on a transaction by transaction basis) and for online (i.e. automated)
transactions the position would be the same as per online banking transactions (i.e. encryption issues).
Questions:-
* were online Girobank transactions AP transactions?
« does AP mean automated?;
* what would a rogue SSC employee have to do to in order to inject an online/automated transaction (i.e. please
articulate the encryption issues and describe what would have to be done to theoretically get around them,
including references to any controls designed to prevent this)?
Summary of investigation into injecting transactions in Legacy Horizon
Paragraph 35 of Steve's statement reads:-
“With reference to Dr. Worden's statement that "as for transferring money, Horizon includes no functionality
that allows payments to be made to external parties or account", at paragraphs 20.1, 20.3, 21 and 58.4 of my
first statement I said that money could not be transferred, by which I mean that it could not be transferred into
a third party’s bank account. I have given this matter further thought and discussed it with my colleagues and
we have now theorised that someone could have carried out a Post Office transaction, such as a GIRO bank
transfer2 or a utility bill payment. A GIRO bank transfer inserted by someone at SSC would have been
detected as part of Post Office's reconciliation processes because there would be no accompanying paper
document. There is no accompanying paper document for a utility bill payment, so in theory such a transaction
would not be detected through reconciliation. I am not aware of any such activity ever taking place and if it had
occurred it would have resulted in instant dismissal.
2A Giro bank is also an AP transaction (like bill payments). It is the only type of bank account that is. All other
banking deposits go through a totally different path."
After the statement had been submitted, Gareth provided the following comments:-
1. The Giro Bank Transactions are not AP, but standard EPOSS Transactions. I don’t know how info on them got
to Giro Bank — it may well be that Giro Bank worked off the paper trail and then sent summaries to POL which
they then reconciled with the Horizon feed. POL would need to provide the details.
2. Prior to online banking (introduced in 2003), POL did support some (but not all) other banks with deposit and
cheque cashing facilities. Again these were EPOSS (not AP) transactions. I assume that there was also a
Paper trail here and it would work in a similar way to Giro Bank. Again it is POL that need to define the
process. All Horizon did was provide the buttons to record the electronic part of the transaction.
FUJ00162078
FUJ00162078
Please find attached the following documents:
1. Post Office's Counter Operations Manual for Personal Banking (version 1 August 2001) which sets out the
procedure for accepting cash deposits other than Alliance & Leicester Giro services (see the comment on
page 2 re Alliance & Leicester Giro services being distinct and separate from those that appear in this booklet
and can be found in the Alliance & Leicester Giro booklet — Post Office have not yet been able to locate the
corresponding version of this booklet but has provided version 3 from March 2007 — see point 3 below) and
states that cash is not deposited into a customer's account until the paper deposit document reaches their
bank (section 5.9 on page 9).
2. Post Office's Operational Focus 0203 from 3 - 9 April 2003 which contains a list of banking services available
at branches from Tuesday 1 April 2003 and shows that Post Office accepted cash deposits from seven banks.
All of them are stated to be "manual", apart from Alliance & Leicester/Giro Bank which is stated to be
“automated or manual". Manual means paper based and automated means online using a card.
3. Post Office's Operations Manual for Alliance & Leicester Personal Banking (version 3 March 2007). This
version shows that Post Office did not offer manual Alliance & Leicester personal banking by March 2007 - it
was online banking only.
4. Post Office's Horizon System User Guide / Balancing with Horizon Guide (version 1 28 July 2000). This
Balancing with Horizon Guide Section 1 deals with Personal Banking (page 734 of the PDF) and Alliance &
Leicester Girobank (page 743 of the PDF). It was a requirement to rem out paper deposit slips on a daily
basis. There was also an opportunity for branches to reconcile the Horizon record of deposit transactions with
the paper deposit slips they were holding as part of this process.
The distinction between online and manual banking transactions is that it would have been possible for SSC to insert a
"manual" transaction, but Gareth does not know if it would even be possible to get around the encryption issues that
would be present if someone tried to insert an "automated" transaction. Automated deposit transactions required the
customer's card to be swiped through the PIN Pad, which would add in some crypto data that prevents SSC being able
to mimic this step.
In terms of other transactions that could have potentially been injected for personal benefit, based on the list of
products and services available in branches as at July 2005 as per the attached welcome pack Gareth has advised
that:-.
* it may have been possible to inject bill payment transactions to pay a bill (i.e. the utility bill example given in
Parker 2, for which there would be no paper trail/reconciliation);
* telephony transactions were all online, so the position is the same as online banking transactions (i.e.
encryption issues);
* banking/savings — covered above;
* national savings and investments — a mix of online and offline. We are checking with Post Office whether
there was a paper trail for the offline ones;
* money transfer — online; and
* the rest did not involve any accounts to credit and therefore the rogue SSC employee wouldn't benefit.
Please consider the environment! Do you need to print this email?
in this e-mail and any attachments
not gijenkin
{rus detection software before transm
ould carry out your own virus che It
FUJ00162078
FUJ00162078
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it.
tered office
iploy
This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our
is 4 More London Riverside, London, SE1 2AU, wher
or consultant who is of equivalent standing. Our VAT
1 list of members’ names is open to inspection. We use the term partner to refer to a member of the LLP, o
93627.
gistration number is GBI
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (Intemational) Limited, which consists of independent and autonomous law firms providing
services in the US, the UK, and elsewhere around the world. Each Womble Bond Dickinson entit y
can bind or oblig. ther Womble Bond Dickinson entity. Womble Bond Dickinson (Intemational) Limited does not pra
www.womblel egal notices for further details.
sa separat
\d is not responsible for the acts or omissions of, nor
law, Please see
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No
96056); Fujitsu EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker
Street, London W1U 3BW; PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu
Laboratories of Europe Limited (registered in England No. 4153469) both with registered offices at: Hayes
Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is
virus-free.