POL00024991
POL00024991
1. Remote access to Horizon data
14 At several points in your Letter of Reply you contend that Post Office has been tampering with
transaction data, suggest that this is the root cause of shortfalls in branches and allege Post
Office has attempted to cover this up. Although we do not think it appropriate to explore all the
issues raised by these allegations in correspondence, it is necessary to make a few comments.
1.2 At the outset, it is important to bear the following in mind:
1.2.1 No Claimant (nor Second Sight) has identified any change to transaction data that was
effected without a postmaster's knowledge and has caused them loss. If any Claimants
are alleging that the transaction data for their branch was changed, please identify the
Claimants who are saying so and provide details of the allegedly changed data. If not,
in the interests of saving time and costs, please say so.
1.2.2 For data manipulation to be the cause of shortfalls in hundreds of branches since
Horizon has been in operation, there would have to have been a secret coordinated
effort between Post Office and Fujitsu staff to manipulate data over a 16 year period.
1.2.3 We cannot think of a plausible reason why Post Office would manipulate transaction
data in this way. Quite apart from anything else, intentionally changing data to make
branch accounts inaccurate would obviously place Post Office in breach of the
obligations it owes its commercial partners (to whom Post Office accounts for the
transactions it performs for them in the branch network), and also in breach of
numerous regulatory requirements. If nonetheless you or your clients contend that this
has in fact taken place, please plead the details of this alleged fraud with the proper
particularisation required of such allegations.
1.2.4 It is unreal to suggest that Post Office would contemplate doing this essentially
fraudulent activity. It is even more unreal to suggest that Fujitsu, an external supplier
of IT services, would do so. Indeed, you self-evidently do not believe this to be true
because you have not joined Fujitsu to these proceedings as a co-conspirator. If any
Claimants are saying that Fujitsu staff have misused their access rights so as to create
false shortfalls in their branch accounts, this would require a further allegation of fraud,
against Fujitsu, including as to who would have done this, when and why. If your
clients nevertheless wish to proceed with this allegation, it would be incumbent on you
t topleaded with particularity.
1.3 Itis also important to assess the statements that Post Office has made about “remote access” in
their proper context. The questions around "remote access" have changed over time. For
example, in the context of Second Sight's involvement between 2012 and 2015:
1.3.1 The original "remote access" allegation came from Mr Michael Rudkin who alleged
(see Spot Review 5) that Fujitsu was running a "black ops centre" from the basement
of its office in Bracknell. This was checked and proven to be wrong (in a witness
statement, a member of staff from Fujitsu confirmed that there was no live connection
to Horizon in the basement at Bracknell). (I think you need to be careful saying “there
is no live connection” — I'd be very surprised technically if there wasn't unless you are
being very specific about the room in question and it has NO access to anything.
Technically — its hard to define what we mean by no live access — at the same time, it's
a FJ statemtn so that could be fine!.
1.3.2 A different issue was subsequently raised, namely whether Post Office could access
Horizon branch data. Post Office has always had the ability to "access" (in terms of
having read only access) Horizon data and it took some time to clarify with Second
Sight what they were querying.
Bond Dickinson LLP is a limited liability partnership registered in England and Wales under number 0C317661. VAT registration number is
GB123393627. Registered office: 4 More London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the
term partner to refer to a member of the LLP, or an employee or consultant who is of equivalent standing. Bond Dickinson LLP is authorised and
regulated by the Solicitors Regulation Authority.
4A_34430501_1
POL00024991
POL00024991
1.3.3 At times the question was asked whether Post Office could remotely log on to a branch
terminal and conduct transactions in the name of a postmaster. Investigations at the
time determined that Post Office could not do this but Fujitsu could log on to branch
terminals in order to provide technical support, though transactions could not be
conducted through this route.
1.3.4 Towards the end of Second Sight's investigations, the question shifted to whether Post
Office or Fujitsu could post transactions into a branch's accounts through back-end
systems without a postmaster's knowledge. This is the Balancing Transactions issue
that is addressed below and it was disclosed to Second Sight.
1.3.5 Finally, when preparing our Letter of Response, we identified the issue of potential
access to Horizon databases in a way which could change branch accounts. Post
Office regrets that it did not previously identify the possibility that Fujitsu staff with
certain administrator access rights could potentially do this; however noting that it
would be very difficult and potentially detectable.
1.4 It should also be noted that a number of the above enquiries and Post Office's responses were
describing the functions of the Horizon system as it was designed, not what Horizon could be
changed to do or show using Fujitsu's administrator access discussed further below.
1.5 At each stage an issue arose, Post Office acted in good faith to ascertain the position to respond
to the question it believed it was being asked and to reveal what it had found. In doing so, Post
Office may have made some incorrect statements, but refutes any suggestion that it ever did so
deliberately or did so to mislead or deceive. (not sure about this sentence — I don’t believe you've
answered inappropriately in the past)
1.6 The Post Office personnel responsible for those statements believed the statements when they
were made. What was said reflected what they understood the position to be after making
relevant enquiries. Unfortunately, they did not pick up on the issue of Fujitsu administrator access
as Post Office would have liked. This is a matter of great regret, but it does not mean that Post
Office exhibited wilful blindness to reckless indifference to the truth of those statements. (I think
this is too much). Can we not just say.
The Post Office responded appropriately to the question of whether transactions could be altered
by Post Office without the postmasters knowledge — the answer to this question is consistently
the same - it is not possible. Expanding on this — it is possible for FU to access the system
through administrator access, which they have confirmed. This is not unusual and is in common
with any other organisation. You would need to discuss with them their ability to modify
transactions; our expert assessment would say that this is extremely difficult but theoretically
possible.
17 In any event, there is no suggestion that Post Office made any incorrect statements before
Second Sight began its work in 2012. By this time, many of the Claimants had left their branches
and so could not have relied on such statements. Indeed, you have presented no material to
suggest that any postmaster has relied on any such statements by Post Office or suffered loss as
a result.
1.8 The simple fact is that, while allegations about secret data manipulation may make good
headlines, they have no substance.
1.9 Post Office has neither committed deceit nor deliberately concealed any relevant matter.
Depending on the particular statements made and the particular Claimants to whom those
statements were made, it has either not made any untrue statements or, even if untrue
statements were made to any particular Claimants, those statements (i) were not deceitful, (ii)
related to a matter (Fujitsu administrator access) which there is no reason to think caused any
shortfalls in any branches, (iii) were not relied on by the relevant Claimant in any material way
and/or (iv) did not cause any Claimant any loss or damage.
1.10 Nevertheless, given the prominence which the Claimants appear to place on these allegations, in
connection with this litigation Post Office has undertaken further investigations into the
4A_34430591_1 2
POL00024991
POL00024991
safeguards put in place to prevent branch data being improperly accessed and edited without the
consent or knowledge of Postmasters. These investigations have focused on Horizon Online
being the version deployed in 2010 and which is still in service. Further investigation will be
needed of Old Horizon, but this will be much more difficult given that the system has not been in
service for 6 years.
1.11 Except for Global User access and Balancing Transactions, the transactions recorded on Horizon
Online that make up a branch's accounts are either inputted or approved by branch staff before
they form part of the relevant accounts. We discuss below these two functions and also the
database access rights available to certain Fujitsu personnel.
Global Users
1.12 We addressed Global Users in our Letter of Response. The ability of Post Office staff to log on to
terminals when physically in a branch has always been known to postmasters and their actions
have always been entirely visible to postmasters.
1.13 If any Claimants are alleging that a Global User inappropriately conducted transactions whilst in
their branch, please identify the Claimants who are doing so and provide details of their
allegation. If not, in the interests of saving time and costs, please say so.
Balancing Transactions
1.14 We also addressed Balancing Transactions in our Letter of Response. Any Balancing
Transactions input into the Branch Database’ are identifiable by Postmasters as they appear on
the transaction log report to which Postmasters have access (and which they should review when
considering a shortfall in the branch accounts). The transaction user ID does not appear as that
of any member of staff at the branch, but appears as “SUPPORTTOOLUSER9Q9”.
1.15 The use of Balancing Transactions was disclosed to Second Sight during the mediation scheme.
In addition, the fact that Balancing Transactions show up in the branch accounts means that
there can be no allegation that the existence of Balancing Transactions was concealed from
Claimants.
1.16 Post Office is not aware of any case in which a Balancing Transaction has been the root cause of
a shortfall suffered by any Claimant. If any Claimants are alleging otherwise, please identify the
Claimants who are doing so and provide details of their allegation. If not, now is the time to say
so.
Fujitsu administrator access
1.17. In common with all other similar organisations, there are a number of authorised staff at Fujitsu
who have "administrator access" to the core Horizon systems. In certain circumstances, this
access could in principle be used to change parts of Horizon, including the raw data in its
databases that reflect transaction records.
1.18 Although this would be very difficult to do in practice and of questionable benefit to anyone who
tried, changes could in theory be made to the Branch Database which could then manifest as a
discrepancy in a branch's real-world accounts. Unsurprisingly, there are a significant range of
controls in place to limit access to this data and to make it very difficult (and in many cases
impossible) to add, amend or delete data without leaving an audit trail in the system. These
controls will of course be subject to further investigation and evidence in the course of these
1 In Horizon Online, the Branch Database holds the live version of the transaction data used in day to
day operations. It is located on a server in a central data centre. Transaction data (other than the
immediate data for a transaction being conducted in real time with a customer) is not held locally on
terminals in branches. For example, when a postmaster in a branch requests on his local Horizon
terminal a list of all the transactions conducted on a specific day, this data is drawn from the Branch
Database and sent over the internet to the terminal in the branch. A similar flow of data happens when
conducting transactions and rolling over a branch's accounts.
4A_34430591_1 3
POL00024991
POL00024991
proceedings should your clients choose to pursue these allegations on a properly particularised
basis. (I think these two statemtns are sufficient)
Other questions
1.19 Finally, turning to the other related questions asked in your letter:
1.19.1 At paragraph 194 you ask whether the Courts have ever been informed about "remote
access" issues. Post Office is fully aware of its ongoing prosecution disclosure duties
and will make such disclosures (if any) where appropriate.
1.19.2 In response to paragraph 195, Post Office was aware following Professor McLachian's
evidence in Court of a number of issues that could, in a broad sense, be described as
concerns over Post Office's investigation into the Misra case. However, this evidence
was ventilated before a judge and jury and Seema Misra was convicted of theft. It is
not appropriate to comment on this further while the prosecution of Mrs Misra is being
considered by the Criminal Cases review Commission.
4A_34430591_1 4