Message
POL00024828
POL00024828
From:
Sent:
To:
cc:
Subject:
Rod
Thomas P Morani
26/07/2016 21:46:12
Angela Van-Den-Bogerd [angela.van-den-boger
;/cn=ap6]; Rob Houghton
Rodric Williams
'; Tom Wechsler
..j; Melanie Corfield
I; Jane MacLeod
Patrick Bourke
Mark R Davies [t.
- Subject to Litigation Privilege [BD-4A.FID26859284]
Re: Strictly Private & Confidential
Please could you organise a call for SG members tomorrow? I think it's the only way we will be able to agree and give
Andy a clear steer so we can complete this on time.
lam out of contact in Brum Cash Centre tomorrow morning but flexible any time from 12.
Thanks
Tom
On Jul 2
6, 2016, at 10:15 PM, Angela Van-Den-Bogerd
Andy
\ don’t feel the redrafting improves the situation much as it still reads to me that we are trying to get our
defence in early before we actually know what’re defending. The key observation for me is in 1.3.1,
1.3.2, 1.3.3 we state what the functionality is and what it is used for. With 1.3.4 we don’t explain why
this access would be granted in the first place. I wonder therefore it would be beneficial for us to be
consistent here is how we approach each of these 4 points for the response and then provide a more
detailed explanation when we have the definitive position.
Just a thought...
Angela
<image001.png> Angela Van Den Bogerd
Director of Support Services
1° Floor, Ty Brwydran,
Atlantic Close, Llansamlet
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient please contact me by reply email and destroy all copies of the original
message.
POL-0021307
POL00024828
POL00024828
From: Parsons, Andrew [.__ GRO
Sent: 26 July 2016 18:14
To: Rob Houghton; Jane MacLeod
Cc: Rodric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield;
Angela Van-Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Litigation Privilege [BD-4A.FID26859284]
All
The description of the situation in points 1 ~ 3 in Jane's email accurately records our current
understanding. To tackle this issue, there are two work-streams ongoing:
1. <!--[if !supportLists]--><![endif]-->Deloitte are investigating the key questions of (a) whether FU
can alter or delete records and if so (b) would this leave a visible audit trail (to Post Office, FJ
and/or SPMR).
2. <!--[if !supportLists]--><![endif]-->We (BD / POLL) are putting together a chronology of statements
made by (i) FU to POL and (ii) POL to others.
We can then assess whether there have been any inaccurate representations of the position and, if so,
what impact this may have on the claims.
This work will not however be complete before Thursday's deadline for responding to Freeths (the due
date for Deloitte's work is mid-August and even then I suspect there may be follow-up enquiries that go
beyond August). I agree with Rob's suggestion that it would be preferabie to understand the complete
picture before saying anything, but unfortunately time is against us. I also have in mind Tony's strong
advice about being transparent on this point as far as possible
As to the Letter of Response, we can remove the wording in square brackets as per Jane’s email. Doing
so however may make it seem like Super User access can definitely be used to affect branch accounts,
when this is not 100% certain. I have therefore proposed some alternative wording in the attached.
In terms of Paula contacting Fu, I can see this would help ensure that Fu continue to engage promptly
and fully, subject to two caveats:
1. <!--[if !supportLists]--><![endif]-->1 would not mention Bullet 5 in Jane's email. If FJ get a sense
that Post Office is holding Fd responsible for past statements, this may cause FJ to become
defensive, making it more difficult to get information out of them.
2. <!--[if !supportLists]--><![endif]-->Paula needs to stick tightly to the rernaining 4 bullets so not to
accidentally waive privilege in circumstances where there is a (perhaps remote) possibility of a
claim against FJ.
All comments on the attached wording are welcomed.
Kind regards
Andy
Andrew Parsons
Partner
<image00S.jpg>
Direct
Follow Bond Dickinson:
<image006,jpg><image007 jpg>
www.bonddickinson.com
POL-0021307
POL00024828
POL00024828
From: Rob Houghton;
Sent: 26 July 2016 15:48
To: Jane MacLeod; Parsons, Andrew
Cc: Rodric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield;
Angela Van-Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Litigation Privilege
Before we do anything — I would suggest that we get a definitive view from Deloitte on the below.
@ In essence therefore the difference would appear to turn on whether FJ can alter or delete
records (a) at all; and (b) if the answer to (a) is yes, and it does so, is there a visible audit
trail? My understanding of Deloitte’s initial findings is that the answer to (a) is yes and to (b)
is ‘not necessarily’.
it hinges on the DBAs superuser ability to access and modify tables within FJ and we need Deloitte/ FJ/
POL to have a very direct conversation on this. All the FJ statements are probably true through normal
tools and capabilities. The challenge is whether the DBAs have extra priveledge. Before we go too far
down this line we need to absolutely assure ourselves from Deloitte and FJ. Have we got any further
detail from Deloitte yet?
R
From: Jane MacLeod
Sent: 26 July 2016 14:45
arsons, Andrew
‘odric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield;
Angela Van-Den-Bogerd; Rob Houghton
Subject: Strictly Private & Confidential - Subject to Litigation Privilege
Andy
I briefed our Group Executive this morning on the progress on the litigation and the planned positioning
of the various issues in the response letter due to be sent to Freeths at the end of the week. In
particular, I commented on the issues around the response to the remote access issue.
As expected there was significant concern around the apparent change in emphasis from previous public
statements, the resultant adverse publicity this may create, and the impact this may have on new
ministers etc, who will not have been briefed. The conclusion to the discussion was that we should
include a statement in the letter as planned, however we should re-consider the phrasing of this.
In responding to Freeths, we need to be cognisant of the following:
1. What did Fujitsu actually tell us about remote access?
e I haven’t as yet seen any further analysis on what statements we have received from FJ,
however Mark U found the email trail (below) last week.
e@ ~My (layman’s) interpretation is that what FJ said below is narrower than what we now
believe to be the case, and narrower than what we are now proposing to saying. The FJ
response below says you can add records (which would be visible via the audit trail) but
infers that records can’t be changed or deleted.
2. What we have previously said publically?
e Mark collated a range of statements (attached) which can be summarised by the statement
made to Panorama “Neither Post Office nor Fujitsu can edit the transactions as recorded by
branches. Post Office can correct errors in and/or update a branch's accounts by inputting a
new transaction (not editing or removing any previous transactions)”.
POL-0021307
POL00024828
POL00024828
e Inessence therefore the difference would appear to turn on whether FJ can alter or delete
records (a) at all; and (b) if the answer to (a) is yes, and it does so, is there a visible audit
trail? My understanding of Deloitte’s initial findings is that the answer to (a) is yes and to (b)
is ‘not necessarily’.
3. Assuming the above is correct, we must then consider how to position our statement in the
response to Freeths.
For the avoidance of doubt, I understand the proposed statement to be:
“Database and server access and edit permission is provided, within strict controls, to a small, controlled
number of specialist Fujitsu personnel. Use of these permissions is logged but rare. [ Enquiries are
continuing as to whether this particular form of access could be used to affect a branch's accounts, and
if so, whether this has happened.]”
The challenge is whether we include the final sentence in square brackets. While this is the key issue
from a legal perspective as it goes to causation, the statement flags that we are concerned enough
about it that we are doing further work on it. So, my question is do we really need the final
sentence? If as a result of the Deloitte work we discover that the actual position is different from that
which we have said already, then we will need to correct it in any event. Do we gain anything by
flagging the fact of this work now?
Separately, Paula has suggested that she speaks to the UK CEO of Fujitsu (Duncan Tait), and my
suggestion would be that she:
e alerts him to the fact and timing of the response letter
notes that the question of remote access is still a live issue and major concern to the claimants
notes the work being undertaken by Deloitte to review access rights and controls,
expresses the desire that FJ [continue to] work constructively with Deloitte, and
flags that if the Deloitte work uncovers a different position to that which FJ and PO have
publicly stated over the years, then we will need to consider carefully how to manage the
impact given that ultimately, the outcome of such work will become public.
I'd be grateful for your thoughts.
PO team — the above is to keep you informed. In light of the sensitivity of the issues please do not
forward Any questions should be addressed to Andy, Rod or me in order to preserve privilege.
Thanks,
Jane
<image008.png> Jane MacLeod
General Counsel
Ground Floor
20 Finsbury Street
LONDON
EC2Y 94Q.
Mobite number
From: Mark Underwood;
Sent: 19 July 2016 11:13
To: Patrick Bourke; Jane MacLeod; Rodric Williams
POL-0021307
POL00024828
POL00024828
Cc: Parsons, Andrew
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
in reading through the LOR and pulling together bits for it, I stumbled across the below email for James
Davidson (then of Fujitsu)
I thought I would share as it may prove useful further down the line — depending where we get to with
Deloitte on ‘Remote Access’.
Mark
From: Mark Underwoodices}
Sent: 08 December 2015 12:42
To: Mark Underwoo:
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
From: Davidson James
Sent: 17 April 2014 16:27
To: Rodric Williams
Cc: Harvey Michael; Newsome Pete
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
Please see Fujitsu’s response below.
Summary:
e There is no ability to delete or change records a branch creates in either old Horizon or Horizon
online. Transactions in both systems are created in a secure and auditable way to assure
integrity, and have either a checksum (Old Horizon) or a digital signature (Horizon Online}, are
time stamped, have a unique sequential number and are securely stored via the core audit
process in the audit vault
e Whilst a facility exists to act’ additional transactions in the event of a system error, these
transactions would have a signature that is unique, sub-postmaster id’s are not used and the
audit log would house a record of these. As above, this does not delete or amend original
transactions but creates a new and additional transactions
@ — This facility is built into the system to enable corrections to be made if a system error / bug is
identified and the master database needs updating as a result, this is not a unique feature of
Horizon
* Approvals to ‘inject’ new transactions are governed by the change process, 2 factor
authentications and a ‘four eyes’ process. A unique identifier is created and can be audited for
this type of transaction within HNGX, Horizon would require more extensive work to investigate
as explained below.
1. Can Post Office change branch transaction data without a subpostmaster being aware of the
change? No
POL-0021307
POL00024828
POL00024828
2. Can Fujitsu change branch transaction data without a subpostmaster being aware of the
change? Once created, branch transaction data cannot be changed, only additional data can
be inserted. [f this is required, the additional transactions would be visible on the trading
statements but would not require acknowledgement / approval by a sub-postmaster, the
approval is given by Post Office via the change process. in response to a previous query Fujitsu
checked last year when this was done on Horizon Online and we found only one occurrence in
March 2010 which was early in the pilot for Horizon Online and was covered by an
appropriate change request from Post Office and an auditable log. For Oid Horizon, a detailed
examination of archived data would have to be undertaken to look into this across the lifetime
of use. This would be a significant and complex exercise te undertake and discussed previously
with Post Office but discounted as too costly and impractical.
3. If not, where is the evidence for this conclusion? See Answer 2
4. Ifso:
a) How does this happen? See above
b) Why was this functionality built into the system design? To allow for data to be
corrected if there were any defects found in the system
c) Why would Fujitsu need to use this functionality? As above and under instructions
from Post Office Ltd.
d) What controls are in place to prevent the unauthorised use of this method of access?
This is achieved through a number of industry standard controls (RBAC, 2 factor
authentication etc) which are robustly audited under ISO 27001 / IAS 3402, Link, PCI.
e}) When has branch data been accessed in this way in the past? See above
5. Inrelation to the Winn/Lusher email:
a) Whatis "message store"? This is the repository (or database) where all transactions
were written to in the old Horizon system
b) Can this be used to access and change branch records? it can be used to access the
records. Data cannot be changed, but new data could be inserted into it. Any such
inserted data would be tightly controlied by operational processes expiained above.
c) What is the "impact" of this change on branch records? The impact would depend on
exactly what records were inserted.
d) Would the subpostmaster be aware of this change? Yes, via the trading statement but
spm’s are not required to approve the change, this is provided by Post Office.
e) Why would this method of access be used? To correct errors if a software defect is
identified.
ff} What controls are in place to prevent misuse of this method of access? As above.
Regards,
James Davidson
Post Office
Fujitsu
Lovel
Mob:
Email: james.davidsor
Web: http://uk fujitsu.com
, RG12 8SN
POL-0021307
POL00024828
POL00024828
<image009.png> <image010.png> <image011.png> <image012.png>
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with ET.com
BY Pe
consider the environment - de you really need to print #
From: Rodric Williams [mailto:rodric.williams: GRO j
Sent: 17 April 2014 15:25
To: Davidson James
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Thanks James.
Rodric Williams I Litigation Lawyer
<image013 j
<image014.png>
<image015.png>
<image016.png>
<image017.png>
<image018.gif> Post Office stories
<image019.gif>
<image020.png>
From: Davidson James ,
Sent: 17 April 2014 14:02
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
dust to update, I have a response in draft following a review the technical guys. I have passed this to
legal for review and expect this back this pm. Will advise as soon as I have the go ahead to release.
Regards,
James Davidson
Post Office
Fujitsu
Lovelace Road, Bracknell, RG12 8SN
Mob:{
Email: james.davidsort
Web: http://uk.fujitsu.com
<image009.png> <image010.png> <image011.png> <image012.png>
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
ent - do you really need to print this email?
From: Rodric Williams [[-
Sent: 14 April 2014 15:59
POL-0021307
POL00024828
POL00024828
To: Davidson James
Subject: Strictly Private & Confidential - Subject to Privilege
James,
Could Fujitsu please answer the questions below so that we can respond to a specific challenge put to us
by Second Sight in connection with a Mediation Scheme complaint, namely that:
"the Andy Winn/Alan Lusher email in the case of Ward [...] explicitly states that Fujitsu can remotely
change the figures in the branches without the SPMs’ knowledge or authority".
The Winn/Lusher email is attached. The part of the email in question is:
“Fujitsu have the ability to impact branch records via the message store but have extremely rigorous
procedures in place to prevent adjustments being made without prior authorisation - within POL and
Fujitsu these controls form the core of our court defence if we get to that stage.”
Questions:
6. Can Post Office change branch transaction data without a subpostmaster being aware of the
change?
7. Can Fujitsu change branch transaction data without a subpostmaster being aware of the
change?
8. If not, where is the evidence for this conclusion?
9. If so:
a) How does this happen?
b) Why was this functionality built into the system design?
c) Why would Fujitsu need to use this functionality?
d) What controls are in place to prevent the unauthorised use of this method of access?
e) When has branch data been accessed in this way in the past?
10. In relation to the Winn/Lusher email:
a) What is "message store"?
b) Can this be used to access and change branch records?
c) What is the "impact" of this change on branch records?
d) Would the subpostmaster be aware of this change?
e) Why would this method of access be used?
f) What controls are in place to prevent misuse of this method of access?
Please let me know if it would be easier to address these in a phone call in the first instance.
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
<image013.jpg>
<image0714.png> 148 Old Street, LONDON, EC1V 9HQ
<image015.png> Postline: 5460 3185
POL-0021307
POL00024828
POL00024828
<image016.png>
<image017.png> todric. william:
<image018.gif> Post Office sto
<image019.gif> {
<image020.png>
This email and any attachments are confidential and intended for the addressee only. If you are not the
named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this
communication. If you have received this in error, please contact the sender by reply email and then
delete this email from your system. Any views or opinions expressed within this email are solely those of
the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD
STREET, LONDON EC1V 9HQ.
Seen tee tee teeta ret tee treet ettee tree tecentreteeeteetsettcctceesetnend
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu
(FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of
confidence and may be privileged. Fujitsu does not guarantee that this email has not been
intercepted and amended or that it is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street,
London W1U 3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street,
London W1U 3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office
Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered
office Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the
named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this
communication. If you have received this in error, please contact the sender by reply email and then
delete this email from your system. Any views or opinions expressed within this email are solely those of
the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD
STREET, LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu
(FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of
POL-0021307
POL00024828
POL00024828
confidence and may be privileged. Fujitsu does not guarantee that this email has not been
intercepted and amended or that it is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street,
London W1U 3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street,
London W1U 3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office
Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered.
office Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU.
HEC 2K 2K ff 2K RR RA 2K RR 2 I 21 08 2 2 21 2X0 A 2K RRR aK
This email and any attachments are confidential and intended for the addressee only. If you are
not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of
this communication. If you have received this in error, please contact the sender by reply email
and then delete this email from your system. Any views or opinions expressed within this email
are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office:
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
EHC Rf fF 2 RR 00 2 of IC 2 0 0 0 0 08 oR G00 0 CCE 0 oo
Onx
refer to
<_DOC_33442637(2)_ DRAFT Remote Access Rider. DOCX>
POL-0021307