FUJ00163881
FUJ00163881
From:
Sent:
To:
Cc:
Subject:
Jonny,
Parker, Steve[/O=FUJITSU EXCHANGE ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE
GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=C05AB063451849CE89F838011C3]
Tue 19/03/2019 7:51:08 PM (UTC)
Jonathan Gribben (jonathan.gribben
Ibbett, Dave[Dave.Ibbett@,
Newsome, Pete[pete.newsomet
FW: Further counter injection analysis [WBDUK-AC.FID123822914]
{jonathan.gribben@.
Lenton, Matthew[Matthew.Lenton@-
1
See below for results of a search to try to identify Peaks for evidence of RR carrying out "remote access”
PC0064128
PCo0064404
PC0065422
PCO0067821
PC0069428
PC0070241
PC0070295
PC0070386
PC0070983
Pco071912
PC0072437
PC0073492
PC0073739
PCO077887
PC0082107
PC0083168
PC0083193
PC0083677
PC0083774
N
N - dseddon536k - User error
Y - JBallantyne5328R
N - although shows that SSC did not have the ability of Bin2Txt then
N - although shows that SSC did not have the ability of Bin2Txt then
Y - Morgan3146Q,
Y - although we used the Tivoli toolset to delete the training message store - GMaxwell291L.
N - OBC POL not following closure procedure
N - Request to audit
N
N - Replication
N - Request to audit
N - LHulme5546K
Y - Delete message store - Then Swap
Y - JBallantyne1740R - New neighbours not detected.
N
N- MWright1541Q
N
Y - Message store deleted
PC0084623
PC0084738
PC0085089
PC0085130
PC0085704
PC0087244
PC0087325
PC0087629
PCO088816
PC0089032
PC0089947
PCcoos0006
PCo090662
PCo091053
Pco091059
Pco091291
Pco091299
PC0091307
PCo091496
PCo091566
PCO091665
PC0092528
PC0092716
PC0092760
PC0092784
PC0092822
N - AChambers232K
N
N
Y - Collecting logs - Wbragg1055Q
Y - Check all data replicated to CorrS
N
Y - Restart Riposte
Y - Deleted messagestore
N
N
N
N - Noted he found the PM difficult to deal with
Y - to identify where CRC failure is in messagestore.
N
N
N
N - RRollS537M
N - RRollS37M
N - RRollS37M
N- RRoll537M
N - RRollS537M
N - RRollS37M
N - RRollS37M
N - RRollS37M
N
N - RRollS37M
FUJ00163881
FUJ00163881
PC0093706
PC0094778
PCo095601
PCO095607
PC0096250
PC0096528
PC0096779
PC0097893
PC0097936
PC0098327
PC0098335
PC0098344
PCO0098898
Pco0ss992
PC0101764
PCO102797
PC0103275
PCO103956
PCO104085
PCO104538
PCO105264
PC0106489
PC0106729
This list was created by searching for the following terms in any of Rolls updated:
“insert”
“recovery”
“delete”
“replicate”
“squirrel”
N
N - Counters returned to SSC
N - RRollS37M
N - RRollS37M
N
N
N - Check for marooned txns
N - RRollS37M
N - RRollS37M
N
Y - Mirror issue
N
N - RRollS37M
Y - Gateway inspection
N - RRollS37M
N
N - RRollS537M
Y - Recover messagestore from mirror
N
N - JBallantyne337J
Y - 1599 Transactions (inc 118 APS) inserted in to counter 2 message store
N
N
FUJ00163881
FUJ00163881
FUJ00163881
FUJ00163881
“service”
“messagestore”
“riposte”
From: Parker, Steve
Sent: Monday, March 18, 2019 5:08 PM
To: ‘Jonathan Gribben' <jonathan.gribben@ ~~
Ce: Godeseth, Torstein <Torstein.O.Godeseth@"""" RO" i>; Ibbett, Dave <Dave.lbbett@_ GRO}; Lenton,
Matthew <Mauhew tenion ; Newsome, Pete <pete.newsome@. ; Gareth Jenkins
<gi. jenkins@& _4; Lucy Bremner <lucy. bremner@
Subject: RE: rilkere counter injection analysis [WBDUK-AC.FID123822914]
Jonny,
1) Don’t think we can achieve this with a search, might only be achievable via manual examination which is just
too much work, but I’ve forwarded it on and see if anyone has any bright ideas.
2) SSC, yes a keyword search of KEL. SSC people tend to use more sophisticated searches than 2LS and hence
get less hits back to consider.
Steve
From: Jonathan Gribben <jonathan..
Sent: Monday, March 18, 201
To: Parker, Steve <ParkerSP Gnwnn-GROvoel> _
Cc: Godeseth, Torstein <Torstein.O.Godeseth@ ____GRO_____>; Ibbett, Dave <Dave.Ibbett@.
Matthew <Matthew.Lenton@ ; Newsome, Pete <pet some@.___. GRO!
<gi.jenkinsG..
> Lucy Bremner <lucy.bremner.
Subject: RE: Further counter injection analysis [WBDUK-AC.FID123822914]
>; Lenton,
Gareth Jenkins
Steve,
Thank you for this — I will speak to the team about how we deploy this. Just to be clear, is the SSC looking at the
period where Mr Roll was working for the SSC or for the whole of Legacy Horizon (the search at para. 29 of your
second statement was originally described as covering the period that Mr Roll was working for the SSC and we
corrected it because it actually related to the whole of Legacy Horizon)?
There are a few more points that we should be grateful for your help with:-
* please would someone (John Simpkins?) be able to devise a search for and send us a list of:-
Oo Peaks/OCPs for evidence of RR carrying out "remote access" and send us a list of hits?
oO Peaks which show that SPMs reported issues said to have caused discrepancies of £250?
* when an incident comes in to the SSC, how to you find relevant KELs? Is it a keyword search or something
more complicated? What about first and second line — how do they search for relevant KELs?
Kind regards
Jonny
Jonathan Gribben
Managing Associate
Womble Bond Dickinson (UK) LLP.
FUJ00163881
FUJ00163881
Stay informed: sign up to our e-alerts
Join us for Disrupting Disputes 2.0
20 March 2019 at the British Library
Book your place here
womblebonddickinson.com
“ DICKINSON (Y) (in)
From: ParkerSP@ GR
Sent: 18 March 2019°07:57
To: Jonathan Gribben .
Cc: Torstein.O.Godeseth@, GRO i; Dave. Ibbett@
pete.newsome Gon. SRO. ..; Gareth Jenkins
Subject: Further counter injection analysis
i [mailto:ParkerSP@
; Matthew.Lenton@”
IMPORTANT - This email or attached documents contains legal advice (or relates to litigation or anticipated litigation) and is being provided in
circumstances for which Legal Privilege may be claimed. Do not copy or forward this document without permission.
Jonny,
The SSC have been doing some more work to identify Peaks that show the SSC injecting transactions at the counter in
legacy Horizon during the period that Mr Roll was working for the SSC.
You will recall that for my second statement we were asked to identify what kind of issues would result in the SSC
injecting transactions at the counter. The information at para 29 in my second statement were obtained using the
search terms: "RiposteMessageFile", "RiposteMessage", "LPO Delete", "Marooned", "RiposteObject put". The
additional information below has been identified with additional search criteria devised when the original work came
under increased scrutiny recently. To find this additional information the SSC technician searched for all KELs that
mentioned the Riposte tools used to insert messages (RiposteMessageFile, Ripostelmport, RiposteMessage), collated
the KEL references, re-searched the Peak system for any Peaks which contained those KEL references and finally, read
through all the narrative of the Peaks identified by the new search criteria. This was very time consuming but has
revealed some new information:
Peaks Statement Ref
PCO105560, PC0106885 I SP2 29.3 2 additional examples of correcting configuration data after a PinPad
change.
PC0063599, PC0063871, I None: New Ref Data issues, possibly caused by Counter swaps, retaining versions
PC0065796, PCO066061, I type, reference I of Ref Data that should be deleted. In these cases, the effect is that the
data issue Qty and Value of Stock items has got out of step. In order to fix this
problem it was agreed that transactions were inserted to effectively
Rem In the missing Qty, but have no impact on the actual value of the
FUJ00163881
FUJ00163881
stock items. Such inserts had to be done at the counter. These all
occurred in early 2001 and Peak PC0063599 indicates that the
underlying issue of not detecting a problem during rollover was fixed
in application version Cl4
PC0083998 (also cross None: Still a reference data issue but slightly different from the four above.
refers to PC0076029) In this case the issue is to do with Stock remaining for a withdrawn
product after the Reference data has been removed. I think one of the
“22 bugs” is related to this sort of scenario. Again there would have
been messages inserted (though I’m not sure if they could be done at
the CS rather than the counter) to address this issue. It isn’t clear from
the Peaks exactly what message were inserted. It may have just been
the missing reference data.
Note that both of these were picked up by SMC monitoring and not a
SPMR phoning in
It is important that we consider these as well since they expose a new kind of issue where it may be necessary for the
SSC to inject transactions at the counter, that of reference data problems. We believe that there will be more
examples of counter insertions that have not been identified yet but it is becoming increasingly difficult and time
consuming to identify others.
During the exercise SSC also identified three examples of the marooned transaction scenario described in SP2 38.2
(PCO068495, PC0099141, PCO0079196) which may be useful to us if we need to quote examples later
Steve
Tools: RiposteMessageFile, Ripostelmport, RiposteMessage
KEL references revealed: AChambers2226M, CObeng1029162824, DSeddon822M, MYoung5043M, RColeman1250R,
acha2340K, ballantj498J, dsed344J, AHolmes3343J, DSeddon1753N, GMaxwell46141, PCarroll12541, RKing5135L,
g1111, pcar847S, wbra716s
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No
96056); Fujitsu EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker
Street, London W1U 3BW; PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu
Laboratories of Europe Limited (registered in England No. 4153469) both with registered offices at: Hayes
Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is
virus-free.
Please consider the environment! Do you need to print this email?
by law 3s this e=
soon as pos: delete any copies, thorised use.
untawful, Information about how we use personal da
Privacy Policy on our website
Any files attached to this e-mail will have been checked by us with virus detection software before transmission, Womble Bond Dickinson (UK) LLP accepts no liability for any
loss or damage which may be caused by software viruses and you should carry out your own virus checks before openin tachment
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it.
This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our registered office
is 4 More London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection, We use the term partner to refer to a member of the LLP, 0 ployee
or consultant who is of equivalent standing. Our VAT registration number is GB123393627.
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (Intemation 1s of independent and autonomous law firms providing
services in the US, the UK, and elsewhere around the world. Each Womble Bond Dicki al entity and is not responsible for the acts or omissions of,
FUJ00163881
FUJ00163881
can bind or obligate, another Womble Bond Dickinson entity. Womble Bond Dickinson (Intemational) Limited does not practice law. Please see
swww.womblebonddickinson.com/legal notices for further details.
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority.