FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
and 5B, MC Rules 1981, r 70)
OFFICE
Statement of HNG-X Standard Witness Statement
Age if under 18 Over 18 (If over 18 insert ‘over 18’)
This statement (consisting of 6 pages each signed by me) is true to the best of my knowledge and belief and I
make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully stated in it
anything which I know to be false or do not believe true.
Dated the 8th day of June . 2020
Signature
I have been employed by Fujitsu Services Limited, on the POA (Post Office Account), since 11 March
2002 as an Information Technology (IT) Security Analyst responsible for audit data extractions and IT
Security. I have working knowledge of the computer system known as Horizon, which is a
computerised accounting system used by Post Office Ltd. I am authorised by Fujitsu Services Limited
to undertake extractions of audit archived data and to obtain information regarding system transactions
recorded on the Horizon system.
During 2009/2010 the Horizon system was upgraded to Horizon HNGX and the detail contained in this
witness statement refers to audited transaction records generated by this upgraded Horizon HNGX
system. Unless I state otherwise in this statement when I subsequently refer to the “Horizon System”
I am referring to the Horizon system as upgraded by Horizon HNGX.
The Horizon System’s documented procedures stipulate how the Horizon System operates, and while
I am not involved with any of the technical aspects of the Horizon System, these documented
procedures allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display unit and
a keyboard and printer. Clerks log on to the system by using their own User ID unique to that particular
Branch. The transactions performed by each clerk, and the associated cash and stock level
information, are recorded against a stock unit and retained in a central database. Once logged on, all
Signature!
CS011A (Side A) Version 11.0 Jan 2011
FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of HNG-X Standard Witness Statement
completed customer sessions performed by the clerk must be recorded and entered on the computer
and are accounted for against the user's allocated stock unit on the central database. Communications
between the counter and the Data Centre are carried out over a Local Area Network within the Branch,
connecting through to a Branch Router in each Branch. The Branch Router is then able to
communicate over a variety of possible Network types including ADSL, ISDN, GPRS, Satellite or PSTN
(depending on local availability) to the Data Centre. All communications are digitally signed at the
counter, using a key that is established as part of the Log On process, and all communications are
passed via a Virtual Private Network, preventing the information from being intercepted or tampered
with between the Counter and the Data Centre. Digital Signatures are checked upon receipt in the
Data Centre to prevent tampering.
The Horizon System provides a number of daily and weekly records of all completed transactions input
into it. It enables Post Office users to obtain computer summaries for individual clients of Post Office
Limited e.g. Santander. The Horizon System also enables the clerk to produce a periodic balance of
cash and stock on hand combined with the other transactions performed in that accounting period,
known as a trading period.
Where local reports are required these are accessed from a button on the desktop menu. The user is
presented with a parameter driven menu, which enables the report to be customised to requirements.
The report is then populated from transaction data that is held in the central database and is printed
out on the printer. The system also allows for information to be transferred to the main accounting
department at Chesterfield.
The Post Office counter processing functions are provided through counter applications that carry out
the following types of transaction: the Electronic Point of Sale Service (EPOSS) that enables
Postmasters to conduct general retail trade at the counter and sell products on behalf of their clients;
the Automated Payments Service (APS) which provides support for utility companies and others who
provide incremental in and out payment mechanisms based on the use of cards and other tokens and
the Logistics Feeder Service (LFS) which supports the management of cash and currency movements
to and from the outlet, principally to minimise cash held overnight in outlets. The counter desktop
GRO
csottA Version 11.0 Jan 2011
Signature H Signature witnessed by
FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of HNG-X Standard Witness Statement
service and the counter on which it runs, provides various common functions for transaction and
customer session recording and settlement as well as user access control and session management.
Information from customer sessions carried out at a counter is written into the central database of the
Horizon System at Fujitsu Services Limited's data centres. Various systems then transfer information
to central servers that control the flow of information to various support services. Details are then
forwarded daily via a file transfer service to the Post Office accounting department and also, where
appropriate, to other Post Office clients.
An audit of information passed to the central database is taken daily by copying new messages to
archive media. This creates a record of completed outlet session details including its origin - outlet and
counter, when it happened, who caused it to happen and the outcome. These records are written to
audit archive media. Each Audited message passed from a counter to the data centre includes a
sequence number (know as the JSN — Journal Sequence Number) which is incremented by 1 for every
audited message.
The system clock incorporated into the desktop application on the counter visual display units is
configured to indicate local time: This is the situation at!”
The Horizon System records time in GMT and takes no account of Civil Time Displacements, thus
during British Summer Time (BST) (generally the last Sunday in March to the last Sunday in October),
system record timings are shown in GMT — one hour earlier than local time (BST).
When information relating to individual transactions is requested, the data is extracted from the audit
archive media of the Horizon System via the Audit Workstations (AWs). Information is presented in
exactly the same way as the data held in the archive although it can be filtered depending upon the
type of information requested. The integrity of data retrieved for audit purposes is guaranteed at all
times from the point of gathering, storage and retrieval to subsequent despatch to the person making
the request. Controls have been established that provide assurances to Post Office Internal Audit
(POIA) that this integrity is maintained.
Signature I
cSot1A Version 11.0 Jan 2011
FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of HNG-X Standard Witness Statement
During audit data extractions the following controls apply :
4. Extractions can only be made through the AWs which exist at Fujitsu Services Limited,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services Limited, 14 Cavendish Road
Stevenage. These two sites are both subject to rigorous physical security controls appropriate
to each location. All AWs are located in a secure room subject to proximity pass access.
2. Logical access to the AW and its functionality is managed in accordance with the Fujitsu
Services Limited’s POA Security Policy and the principles of ISO 27001. This includes
dedicated Logins, password control and the use of 2-factor access control.
3. All extractions are logged on the AW and supported by documented Audit Record Queries
(ARQs), authorised by nominated persons within Post Office Ltd. This log can be scrutinised
on the AW.
4. Extractions are only made by authorised individuals.
5. Upon receipt of an ARQ from Post Office Ltd they are interpreted by CSPOA Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
7. Checksum seals are calculated for audit data files when they are written to audit archive media
and re-calculated when the files are retrieved.
8. The specific ARQ details are used to obtain the transaction records.
9. The files are copied to the AW where they are checked and converted into the file type required
by Post Office Ltd.
10. Digital signatures that were generated at the time that messages were originally sent from the
counters to the Data Centre are checked as being correct.
11. Checks are made using the JSN that all audited messages for each counter in the Branch have
been retrieved and that no messages are missing.
12. System events generated when the transactions at the branch were recorded are checked to
ensure the system was functioning correctly.
13. The retrieved audit data is encrypted using PGP encryption and held on the AW in the
encrypted form.
14. The requested information is copied onto removable CD media and virus checked using the
latest software. It is then despatched to the Post Office Ltd Casework Manager using Royal
smn GRO
CSO1IA
“Version 11.0 Jan 2011
FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, 89; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of HNG-X Standard Witness Statement
Mail's Special Delivery Service. This ensures that a receipt is provided to Fujitsu Services
confirming delivery.
ARQs 205-207 was received on 2 May 2019 and asked for information in connection with the!
Branch code 11 produce a copy of ARQs 205-207 as Exhibit APDO01. I
undertook extractions of data held on the Horizon System in accordance with the requirements of ARQs
205-207 and followed the procedure outlined above. I produce the resultant CD as Exhibit APD002.
This CD, Exhibit APD002, was sent to the Post Office Investigation section by Special Delivery on 8h
May 2019.
The report is formatted with the following headings:
ID - relates to counter position
User - person logged on to the system
SU - stock unit .
Date - date of transaction
Time - time of transaction
Sessionld - a unique identifier for a customer session for a given counter within a branch
Txnid - an identifier for a transaction within a customer session
Mode - a numeric representation of the type of transaction, eg. Mode 1 translates to Serve
Customer
ProductNo - Horizon Online product code
Qty - number of items sold
SaleValue - cost of items sold
EntryMethod - identifies how the transaction was initiated (0 = barcode, 1 = manually keyed, 2
= magnetic card, 3 = smartcard, 4 = smart key)
The Event report is formatted with the following headings:
Groupld - PO outlet branch code
ID - counter position
Date - date of transaction
Time - time of transaction
Signature }
cSO11A eee sc t—t—tee a, ‘Weision 11.0 Jan 2011
FUJ00243260
FUJ00243260
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of HNG-X Standard Witness Statement
User - person logged on to the system
stockUnit - stock unit
reportingEventld - event number as used in the Branch’s Event Log
eventDetailMsg - event description
The Horizon counters had no virus checking software installed, as they ran on windows NT 4.0 which
at the time was not a common system and to our knowledge was not compatible with any readily
available anti-virus software.
Instead a number of other controls were agreed with Post Office and put in place. The counters
themselves were locked down, ie:
¢ They would only boot into the Horizon Application
« All the standard multitasking keyboard shortcuts were disabled.
« NT 4.0 does not support USB devices.
* 3.5 inch floppy drive was disabled.
* WAN and LAN connections were protected by VPN (Virtual Private Network) (a device on the
local LAN would not be able to connect to the counters)
There is virus checking in the Post Office DataCenter monitoring all transactions.
There were no known malware or viruses between 1/11/2017 and 31/01/2018.
There is no reason to believe that the information in this statement is inaccurate because of the
improper use of the system. To the best of my knowledge and belief at all material times the system
was operating properly, or if not, any respect in which it was not operating properly, or was out of
operation was not such as to effect the information held within it.
Any records to which I refer in my statement form part of the records relating to the business of Fujitsu
Services Limited. These were compiled during the ordinary course of business from information
supplied by persons who have, or may reasonably be supposed to have, personal knowledge of the
matter dealt with in the information supplied, but are unlikely to have any recollection of the information
or cannot be traced. As part of my duties, I have access to these records.
jersion 11.0 Jan 2011