POL00024875
POL00024875
1. Remote access to Horizon data
14 At several points in your Letter of Reply you contend that Post Office has been tampering with
transaction data, suggest that this is the root cause of shortfalls in branches and allege Post
Office has attempted to cover this up. Although we do not think it appropriate to explore all the
issues raised by these allegations in correspondence, it is necessary to make a few comments.
1.2 At the outset, it is important to note that:
1.2.1 No Claimant (nor Second Sight) has identified any change to transaction data that was
effected without a postmaster's knowledge and has caused them loss. If any
Claimants are alleging that the transaction data for their branch was changed, please
identify the Claimants who are saying so and provide details of the allegedly changed
data. If not, in the interests of saving time and costs, please say so.
1.2.2 For data manipulation to be the cause of shortfalls in hundreds of branches since
Horizon has been in operation, there would have to have been a surreptitious and
coordinated effort between Post Office and Fujitsu staff to manipulate data over a 16
year period.
1.2.3 We cannot think of a plausible reason why Post Office would manipulate transaction
data in this way. Quite apart from anything else, intentionally changing data to make
branch accounts inaccurate would obviously place Post Office in breach of the
obligations it owes its commercial partners (to whom Post Office accounts for the
transactions it performs for them in the branch network), and also in breach of
numerous regulatory requirements. If nonetheless you or your clients contend that this
has in fact taken place, please plead the details of this alleged fraud with the proper
particularisation required of such allegations.
1.2.4 It is illusory to suggest that Post Office would contemplate perpetrating a fraud of this
sort. It is even more unreal to claim that Fujitsu, an external supplier of IT services,
would do so. In this regard, we note that you have not joined Fujitsu to these
proceedings as a co-conspirator. Nevertheless, if any Claimants are saying that
Fujitsu staff have misused any access rights so as to create false shortfalls in their
branch accounts, this would require a further allegation of fraud against Fujitsu, which
would involve pleading who would have done this, when and why.
1.3 It is also important to assess the statements that Post Office has made about “remote access” in
their proper context. The questions around "remote access” have changed over time, particularly
during Second Sight’s engagement:
1.3.1 The first "remote access" allegation identified by Second Sight came from Mr Michael
Rudkin who claimed (see Spot Review 5) that Fujitsu was running a "black ops centre”
from the basement of its office in Bracknell. This was checked and proven to be wrong
(in a witness statement that was provided to Second Sight, a member of staff from
Fujitsu confirmed that the test environment in the basement at Bracknell was not
connected to the live Horizon system).
1.3.2 A different issue was subsequently raised, namely whether Post Office could access
Horizon branch data. Post Office has always had the ability to "access" (in terms of
having read only access) Horizon data and it took some time to clarify with Second
Sight what they were querying.
1.3.3 At times it was asked whether Post Office could remotely log on to a branch terminal
and conduct transactions in the name of a postmaster. Investigations at the time
determined that Post Office could not do this but Fujitsu could log on to branch
Bond Dickinson LLP is a limited liability partnership registered in England and Wales under number 0C317661. VAT registration number is
GB123393627. Registered office: 4 More London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the
term partner to refer to a member of the LLP, or an employee or consultant who is of equivalent standing. Bond Dickinson LLP is authorised and
regulated by the Solicitors Regulation Authority.
4A_34439504_3
POL00024875
POL00024875
terminals in order to provide technical support, though transactions could not be
conducted through this route.
1.3.4 A further question was whether Post Office or Fujitsu could add transactions into a
branch's accounts through back-end systems without a postmaster'’s knowledge. This
is the Balancing Transaction issue that is addressed below and that was disclosed to
Second Sight.
1.3.5 When preparing our Letter of Response, we identified the theoretical potential for
Fujitsu administrators to access Horizon databases in a way which could change
branch accounts. This is discussed in more detail below. Post Office regrets that it did
not previously identify this possibility even though it is unreal to suggest that this is a
true factor behind the shortfalls suffered by any postmasters.
1.4 At each stage, Post Office ascertained the position to respond to the questions it believed it was
being asked. With the benefit of hindsight, some of Post Office's statements may have been
incorrect in light of what has since been identified in relation to Fujitsu's administrator access
rights (see below). But Post Office refutes any suggestion that it ever made false statements
deliberately or did so to mislead, deceive or conceal. The Post Office personnel responsible for
those statements made them in good faith: what was said reflected what they understood the
position to be after they had made relevant enquiries at the time.
1.5 In any event, there is no suggestion that Post Office made any incorrect statements before
Second Sight began its work in 2012. By this time, many of the Claimants had left their branches
and so could not have relied on such statements. Indeed, you have presented no material to
suggest that any postmaster has relied on any such statements by Post Office or suffered loss as
a result.
1.6 Nevertheless, given the prominence which the Claimants appear to place on these allegations, in
connection with this litigation Post Office has undertaken further investigations into whether
Global Users, Balancing Transactions and Fujitsu administrator access could be behind the
shortfalls you allege. These investigations have focused on Horizon Online, being the version
deployed in 2010 and which is still in service.
1.6.1 Except for Global User access and Balancing Transactions, the transactions recorded
on Horizon that make up a branch's accounts are either input or approved by branch
staff before they form part of the relevant accounts.
(a) We addressed Global Users in our Letter of Response. The ability of Post Office
staff to log on to terminals when physically in a branch has always been known to.
postmasters and their actions have always been entirely visible to postmasters.
(b) We also addressed Balancing Transactions in our Letter of Response. Any
Balancing Transactions input into the Branch Database’ are identifiable by
Postmasters as they appear on the transaction log report to which Postmasters
have access (and which they should review when considering a shortfall in the
branch accounts). The transaction user ID does not appear as that of any
member of staff at the branch, but appears as “SUPPORTTOOLUSERQ9”.
(c) The existence of Balancing Transactions was disclosed to Second Sight during
the mediation scheme. In addition, the fact that Balancing Transactions show up
1 In Horizon Online, the Branch Database holds the live version of the transaction data used in day to
day operations. It is located on a server in a central data centre. Transaction data (other than the
immediate data for a transaction being conducted in real time with a customer) is not held locally on
terminals in branches. For example, when a postmaster in a branch requests on his local Horizon
terminal a list of all the transactions conducted on a specific day, this data is drawn from the Branch
Database and sent over the internet to the terminal in the branch. A similar flow of data happens when
conducting transactions and rolling over a branch's accounts.
4A_34439504_3 2
POL00024875
POL00024875
in a branch's accounts means that there can be no allegation that the existence of
a Balancing Transaction was concealed from a Claimant.
(d) If any Claimants are alleging that a Global User improperly conducted
transactions whilst in a branch or that a Balancing Transaction was the root cause
of a shortfall (or that Post Office tried to conceal either of these), please identify
the Claimants who are doing so and provide details of their allegation. If not, now
is the time to say so.
1.6.2 In relation to Fujitsu's administrator access:
(a) There are certain circumstances where this access could in principle be used to
change parts of Horizon, including the raw data in its databases that reflect
transaction records. Although this would be very difficult to do in practice and
would be of questionable benefit to anyone who tried, changes could in theory be
made to the Branch Database which could then manifest as a discrepancy in a
branch's real-world accounts.
(b) There are a significant range of controls in place to limit access to this data and to
make it very difficult (and in many cases impossible) to add, amend or delete data
without leaving an audit trail in the system.
(c) Post Office therefore denies that Fujitsu's administrator access has been misused
so to cause the shortfalls attributed to any Claimant.
(d) It should also be noted that a number of Post Office's historic statements were
describing the functions of the Horizon system as designed, not what Horizon
could be changed to do or show using Fujitsu's administrator access. In the
context of those statements, administrator access was not a relevant
consideration. As stated above, the context behind each statement is of
paramount importance.
1.7 The simple fact is that, while allegations about data manipulation may make good headlines, they
have no substance. It is fanciful to contend that there was a conspiracy between Post Office and
Fujitsu to manipulate data in order to deliberately cause false shortfalls to appear in Post Office
branches. Taking a step back and assessing the realities of this case sensibly, there is no
credible material to support such allegations, but only supposition about what Horizon might in
theory be able to do.
1.8 Turning to the other related questions asked in your letter:
1.8.1 At paragraph 194 you ask whether the Courts have ever been informed about "remote
access" issues. Post Office is fully aware of its ongoing prosecution disclosure duties
and will make such disclosures (if any) where appropriate.
1.8.2 In response to paragraph 195, Post Office was aware following Professor McLachlan's
evidence in Court of a number of issues that could, in a broad sense, be described as
concerns over Post Office's investigation into the Misra case. However, this evidence
was ventilated before a judge and jury and Seema Misra was convicted of theft. It is
not appropriate to comment on this further while the prosecution of Mrs Misra is being
considered by the Criminal Cases review Commission.
4A_34439504_3 3