FUJ00238269
FUJ00238269
From: Newsome, Pete[/o=Fujitsu Exchange Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=779e4a5ceab04dcab27a43c7fdb]
Sent: Mon 04/01/2016 4:37:29 PM (UTC)
To: Bansal, Steve (BRAO1
Subject: FW: Strictly Private & Confidential - Subject to Legal Privilege
Steve
Background to the ask on hotfixes.
Pete
Pete Newsome
Business Change Manager
Post Office Account, Fujitsu UK&l
Web: mnie
Web: uk.fujitsu.com
Fujitsu named as
Responsible Business
of the Year
Fujitsu is proud to partner with Action for Children
I-ClO: Global Intelligence for the ClO. Fujitsu’s online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
wv Please consider the environment - do you really need to print this email?
From: Mark Underwoos
Sent: 24 December 2015 10:57
To: Newsome, Pete
Cc: Harvey, Michael
Subject: RE: Strictly Private & Confidential
Pete,
Presumably, if data were available for 2010, the number of ‘hotfixes’ would include the “62 Branch Anomaly”
referenced in the Second Sight Report?
- Subject to Legal Privilege
Similarly, I presume the 2012 numbers include the “14 Branch anomaly”? and 2015 numbers include the “Forced Log
Off” anomaly (or would this be included in 2016 if the fix occurs in March 2016?)
Also, do you have a timescale in mind for when you think you will have managed to bottom out whether any of these
affected branch accounts?
We are still working on that other piece of work that we spoke about yesterday, but that should be with you in the
FUJ00238269
FUJ00238269
next hour or so.
Thanks
Mark
Mark Underwood
Complaint Review and Mediation Scheme
From: pete.newsome'
Sent: 23 December 2015 15:41
To: Mark Underwood:
Ce: Michael.Harvey GRO:
Subject: RE: Strictly Private & Corifidential - Subject to Legal Privilege
Mark
Purely the data we had available. There is no formal definition of what goes into a hotfix it is a term to represent the
fact that this issue was deemed important enough to require a fix before the next maintenance or change release is
scheduled.
Pete
Pete Newsome
Business Change Manager
Pos' i Fujitsu UK&l
Web: uk.fujitsu.com
Responsible Business
of the Year
Fujitsu is proud to partner with Action for Children
I-ClO: Global Intelligence for the CIO. Fujitsu’s online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
wv Please consider the environment - do you really need to print this email?
From: Mark Underwood}
Sent: 23 December 20:
To: Newsome, Pete
Cc: Harvey, Michael
Subject: RE: Strictly Private & Confidential - Subject to Legal Privilege
FUJ00238269
FUJ00238269
Thanks Pete, is there a particular reason we have gone back as far as 2011 and not, for example, 2010 and the
introduction of Horizon Online?
Also - is there a ‘formal” definition of a hot fix I can use —I know you have provided an explanation previously, but I
just wondered if there was a specific formulation of words I should use?
Mark
Mark Underwood
Complaint Review and Mediation Scheme
From: pete.newsome GRO} [mailto;” GRO
Sent: 23 December 2
To: Mark Underwos
Ce: Michael.Harvey'
Subject: RE: Strict!
idential - Subject to Legal Privilege
Mark
Have the data on the number of hotfixes:
2015 6
2014 1
2013 4
2012 3
2011 4
So far I do not have the detail to confirm the exact nature of the fixes so cannot confirm if they had any material effect
on branch account but will investigate further.
Regards
Pete
Pete Newsome
Business Change Manager
Post Office Account, Fujitsu UK&l
Web: http //uk-fijifsucorm
Web: uk.fujitsu.com
2) fiin/e)
$
= Fujitsu named as
Responsible Business
of the Year
Fujitsu is proud to partner with Action for Children
FUJ00238269
FUJ00238269
I-ClO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
= Please consider the environment - do you really need to print this email?
From: Mark Underwoot
Sent: 22 December
To: Newsome, Pete
Membery, Bil
Cc: Harvey, Michael
Subject: RE: Strictly Private
Rodric William
Confidential - Subject to Legal Privilege
Bill,
Are you able to do a quick search tomorrow morning please, to see if you are able to locate your original reply? I think
it is most likely to have been in an email to Mark Westbrook, Gareth James or Andrew Whitton.
Thanks
Mark
Mark Underwood
Complaint Review and Mediation Scheme
From: pete.newsome:
Sent: 21 December 2015 14:42
To: Rodric Williams
Cc: Mark Underwood: Michael.Harvey!
Subject: FW: Strictly Private & Confidential - Subject to Legal Privilege
Rodric
Bill has pulled out the information relevant to answering the question asked. In a very concise brief answer, all of this
is covered through the sampling, document review and testing of the controls that Fujitsu has to meet for each of the
standards and audits it is subject to.
Regards and merry Christmas
Pete
Pete Newsome
Business Change Manager
it, Fujitsu UK&l
Web: http://uk.fujitsu.com
Web: uk fujitsu.com
FUJ00238269
FUJ00238269
Fujitsu named as ied
ssi HE
we
Responsible Business uaa
of the Year
Fujitsu is proud to partner with Action for Children
I-C!O: Global Intelligence for the CIO. Fujitsu’s online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
= Please consider the environment - do you really need to print this email?
From: Membery, Bill
Sent: 17 December 2015 16:20
To: Newsome, Pete
Subject: RE: Strictly Private & Confidential - Subject to Legal Privilege
Hi Pete
Yes, we have, as it is part of the PCI overview and ISAE3402 and 1SO27001 audits and in each, a clear review of the
segregation of duties of the staff concerned takes place.
Each of the individual (SME’s) are audited against this as one of the criterion for the above audits:
e Architecture and Design of the Audit System - Gerald Barnes
e Security Operations team are only able to extract data only as part of a formal request from Post Office
(Operational Security Team) — Steve Godfrey
e User Management Requests and reviews — (Operational Security Team) — Steve Godfrey
e User Management implementation — (Windows Team for Active directory) — Michael Green
e User Management — (Integration of Windows AD with Unix authorisation PAM) Paul Stewart
e The Unix team in Belfast manage the Infrastructure of the audit servers (Paul Stewart)
e The Event management manage the way that event are automatically sent to the audit server from Tivoli
(John Bradley)
The best Technical overviews of how the system work comes in a diagram that John Bradley has regards events and
how they are moved to the audit server and the HLD documentation and verbal explanations given by Gerald Barnes.
Recent Audits have used the following documentation:
Technical:
e —DES/APP/HLD/0029 Audit Data Retrieval High Level Design
e = DEV/GEN/MAN/0015 Audit Extraction Client User Manual
@ ~— DEV/INF/ION/0001 Archive Server Configuration
Process
SVM/SEC/PRO/0018 Audit Data Extraction Process
POL FJ ARQ blank request templates — Request for Extraction
Encryption of Audit data overview for delivery to and from POL
PAM Monthly Checks
Domain Admin checks
SVM/SEC/PRO/0006 Application for access to the Live Network
SVM/SEC/PRO/012 Post Office Account User Access Procedure
SOP PAM — Operation Process PAM Privilege Access User Management
Manufacturer’s documentation
e — ETERNUS CS High End V5.1A SPO1 User Guide
e Script designed by EY to test appropriate user access
e Active Directory User Samples
e PAM User Samples
e ~=©Vetting samples
FUJ00238269
FUJ00238269
e The auditors have also undertaken Physical Observation of the Audit extraction process to verify that this
cannot occur
Kind Regards
Bill Membery
Quality Partner POA and POA Compliance Manager
Fujitsu UK&i SME for PCI
Commercial, Legal and GRC
Nearest Office: Fujitsu, Lancaster House,Shorebury Point,Amy Johnson Way,Squires Gate Lane,Blackpool,FY4 2RJ
@ Landline: :
Web: http://uk.fujitsu.com
© f/Mine
S es
© Fujitsu named as Bete
ane
Responsible Business sua
of the Year
Fujitsu is proud to partner with Action for Children
1-ClO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders.
Reshaping ICT, Reshaping Business in partnership with FT.com
Sponsors of the 2015 Rugby World Cup
= Please consider the environment - do you really need to print this email?
From: Newsome, Pete
Sent: 17 December 2015 14:13
To: Membery, Bill,
Subject: FW: Strictly
to Legal Privilege
Bill
Have you been asked the question below before and can you provide an answer?
FUJ00238269
FUJ00238269
Thanks
Pete
Pete Newsome
Business Change Manager
Post Office Account, Fujitsu UK&l
Web: http://uk.fujitsu.com
Web: uk.fujitsu.com
I £/¥inIe
wv sponse
& Fujitsu named as waste os
Responsible Business agin"
of the Year
Fujitsu is proud to partner with Action for Children
I-ClO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
= Please consider the environment - do you really need to print this email?
From: Rodric Williams [mailto
Sent: 17 December 2015 13:25
To: Newsome, Pete Le
Cc: Harvey, Michael
Subject: Strictly Private & Confidential
- Subject to Legal Privilege
Pete,
Season’s greetings. Thank you for meeting with Jonathan Swift QC and Christopher Knight from 11KBW on Monday,
especially at this busy time of the year.
I understand that one of the matters raised during your meeting concerned the security setting on the Audit Store’s
physical hardware (Centera), which because it is not set at its maximum level, makes it theoretically possible for
administrators to delete data from the Store during the seven year retention period. Apparently, this could allow
suitably authorised privileged staff in Fujitsu to delete a sealed set of baskets and replace them with other sealed
baskets.
I also understand that this risk should be largely mitigated by the unique sequence numbers (JSN’s) recorded against
each basket transferred to the Audit Store, and the digital seals applied to protect them.
This then leaves a risk that someone with the requisite access rights to the ‘digital keys’ used in the sealing process
and admin access on the Audit Store could theoretically:
* Delete an audit store record (after extracting it to review the specific JSNs it contained);
* Recreate the transactional data that was originally within that Audit Store file to suit whatever purpose they
might have (using the JSNs in the original file they have subsequently deleted).
* Seal it using the correct key to generate a valid seal value.
* Reinsert it into the database (requiring the database of seal values to be altered as well to make this change
FUJ00238269
FUJ00238269
undetectable).
There would also be the added complexity that the transactions themselves (within a sealed Audit Store file) are also
digitally sealed via digital signature.
The outstanding question therefore was whether anyone had or has the requisite access rights to the Centera boxes
and rights to key management to be able to exploit this.
I understand this question was passed to Bill Membery around May 2014 for clarification (e.g. is this controlled by
having the requisite segregation of duties between key management and the Centera boxes?). Do you know if Bill
was able to do this?
Please let me know if this would be easier to discuss in the first instance.
Kind regards, Rodric
POST
OFFICE
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20
Finsbury Street, London EC2Y 9AQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or
from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is
virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
FUJ00238269
FUJ00238269
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20
Finsbury Street, London EC2Y 9AQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or
from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is
virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U.
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20
Finsbury Street, London EC2Y 9AQ.
JES SS IS III II III III IDOI IODIDE ISSO III IO III IIIA II III III
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or
from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is
virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
FUJ00238269
FUJ00238269
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20
Finsbury Street, London EC2Y 9AQ.
JES OR ISIS IIIS IOI II ISI III III III IIS II II III IIE