POL00025320
POL00025320
Message
From: Jane MacLeod [ji
Sent: 26/07/2016 13:44:54
To: Parsons, Andrew [£
cc: Rodric Williams Patrick Bourke [, Thomas P
Moran [ Tom Wechsler [- I; Mark R Davies
‘orfield [7 ela Van-Den-Bogerd
J; Rob Houghton
Subject: Strictly Private & Confidential - Subject to Litigation Privilege
Attachments: 160721 Statements Remote Access.docx
Andy
I briefed our Group Executive this morning on the progress on the litigation and the planned positioning of the various
issues in the response letter due to be sent to Freeths at the end of the week. In particular, I commented on the issues
around the response to the remote access issue.
As expected there was significant concern around the apparent change in emphasis from previous public
statements, the resultant adverse publicity this may create, and the impact this may have on new ministers etc, who
will not have been briefed. The conclusion to the discussion was that we should include a statement in the letter as
planned, however we should re-consider the phrasing of this.
In responding to Freeths, we need to be cognisant of the following:
1. What did Fujitsu actually tell us about remote access?
e Ihaven’t as yet seen any further analysis on what statements we have received from FJ, however Mark U
found the email trail (below) last week.
@ ~My (layman’s) interpretation is that what FJ said below is narrower than what we now believe to be the
case, and narrower than what we are now proposing to saying. The FJ response below says you can add
records (which would be visible via the audit trail) but infers that records can’t be changed or deleted.
2. What we have previously said publically?
¢ Mark collated a range of statements (attached) which can be summarised by the statement made to
Panorama “Neither Post Office nor Fujitsu can edit the transactions as recorded by branches. Post Office can
correct errors in and/or update a branch's accounts by inputting a new transaction (not editing or removing
any previous transactions)”.
In essence therefore the difference would appear to turn on whether FJ can alter or delete records (a) at all;
and (b) if the answer to (a) is yes, and it does so, is there a visible audit trail? My understanding of
Deloitte’s initial findings is that the answer to (a) is yes and to (b) is ‘not necessarily’.
3. Assuming the above is correct, we must then consider how to position our statement in the response to Freeths.
For the avoidance of doubt, I understand the proposed statement to be:
“Database and server access and edit permission is provided, within strict controls, to a small, controlled number of
specialist Fujitsu personnel. Use of these permissions is logged but rare. [ Enquiries are continuing as to whether this
particular form of access could be used to affect a branch's accounts, and if so, whether this has happened.]”
The challenge is whether we include the final sentence in square brackets. While this is the key issue from a legal
perspective as it goes to causation, the statement flags that we are concerned enough about it that we are doing
further work on it. So, my question is do we really need the final sentence? If as a result of the Deloitte work we
discover that the actual position is different from that which we have said already, then we will need to correct it in any
event. Do we gain anything by flagging the fact of this work now?
POL-0021799
POL00025320
POL00025320
Separately, Paula has suggested that she speaks to the UK CEO of Fujitsu (Duncan Tait), and my suggestion would be that
she:
alerts him to the fact and timing of the response letter
notes that the question of remote access is still a live issue and major concern to the claimants
notes the work being undertaken by Deloitte to review access rights and controls,
expresses the desire that FJ [continue to] work constructively with Deloitte, and
flags that if the Deloitte work uncovers a different position to that which FJ and PO have publicly stated over
the years, then we will need to consider carefully how to manage the impact given that ultimately, the
outcome of such work will become public.
eeceee
I'd be grateful for your thoughts.
PO team — the above is to keep you informed. In light of the sensitivity of the issues please do not forward Any
questions should be addressed to Andy, Rod or me in order to preserve privilege.
Thanks,
Jane
Jane MacLeod
General Counset
Ground Floor
20 Finsbury Street
LONDON
EC2Y 9AQ
Mobile number
From: Mark Underwood,
Sent: 19 July 2016 11:13
To: Patrick Bourke; Jane MacLeod; Rodric Williams
Cc: Parsons, Andrew
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
In reading through the LOR and pulling together bits for it, I stumbled across the below email for James Davidson (then
of Fujitsu)
{ thought I would share as it may prove useful further down the line — depending where we get to with Deloitte on
‘Remote Access’.
Mark
From: Mark Underwood?!
Sent: 08 December 2! 12:42
To: Mark Underwood:
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
From: Davidson James
Sent: 17 April 2014 16:27
To: Rodric Williams
Cc: Harvey Michael; Newsome Pete
Subject: RE: Strictly Private & Confidential - Subject to Privilege
POL-0021799
POL00025320
POL00025320
Rodric,
Please see Fujitsu’s response below.
Summary:
* There is no ability to delete or change records a branch creates in either old Horizon or Horizon online.
Transactions in both systems are created in a secure and auditable way to assure integrity, and have either
a checksum (Old Horizon) or a digital signature (Horizon Online), are time stamped, have a unique sequential
number and are securely stored via the core audit process in the audit vault
@ Whilst a facility exists to ‘inject’ additional transactions in the event of a system error, these transactions would
have a signature that is unique, sub-postmaster id’s are not used and the audit log would house a record of
these. As above, this does not delete or amend original transactions but creates a new and additional
transactions
e This facility is built into the system to enable corrections to be made if a system error / bug is identified and the
master database needs updating as a result, this is not a unique feature of Horizon
e Approvals to ‘inject’ new transactions are governed by the change process, 2 factor authentications and a ‘four
eyes’ process. A unique identifier is created and can be audited for this type of transaction within HNGX, Horizon
would require more extensive work to investigate as explained below.
1. Can Post Office change branch transaction data without a subpostmaster being aware of the change? No
2. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change? Once created,
branch transaction data cannot be changed, only additional data can be inserted. if this is required, the
additional transactions would be visible on the trading statements but would not require acknowledgement /
approval by a sub-postmaster, the approval is given by Post Office via the change process. In response to a
previous query Fujitsu checked last year when this was done on Horizon Online and we found only one
occurrence in March 2010 which was early in the pilot for Horizon Online and was covered by an appropriate
change request from Post Office and an auditable log. For Old Horizon, a detailed examination of archived
dato would have to be undertaken to look into this across the lifetime of use. This would be a significant and
complex exercise to undertake and discussed previously with Post Office but discounted as too costly and
impractical.
3. If not, where is the evidence for this conclusion? See Answer 2
4. Ifso:
a) How does this happen? See above
b) Why was this functionality built into the system design? To allow for data to be corrected if there were
any defects found in the system
c) Why would Fujitsu need to use this functionality? As above and under instructions from Post Office Ltd.
d) What controls are in place to prevent the unauthorised use of this method of access? This is achieved
through a number of industry standard controls (RBAC, 2 factor authentication etc) which are robustly
audited under ISO 27001 / IAS 3402, Link, PCI.
e@) When has branch data been accessed in this way in the past? See above
5. Inrelation to the Winn/Lusher email:
POL-0021799
a)
b)
c)
d)
e)
f
Regards,
James Davidson
Post Office
Fujitsu
POL00025320
POL00025320
What is "message store"? This is the repository (or database) where all transactions were written to in
the old Horizon system
Can this be used to access and change branch records? it can be used to access the records. Data
cannot be changed, but new data could be inserted into it. Any such inserted data would be tightly
controlled by operational processes explained above.
What is the "impact" of this change on branch records? The impact would depend on exactly what
records were inserted.
Would the subpostmaster be aware of this change? Yes, via the trading statement but spm’s are not
required to approve the change, this is provided by Post Office.
Why would this method of access be used? To correct errors if a software defect is identified.
What controls are in place to prevent misuse of this method of access? As above.
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
ey Please consider the
From: Rodric Williams [mailto}
Sent: 17 April 2014 15:25
To: Davidson James
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Thanks James.
Rodric Williams I Lit
POL-0021799
POL00025320
POL00025320
From: Davidson James [mailt
Sent: 17 April 2014 14:02
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
Just to update, I have a response in draft following a review the technical guys. I have passed this to legal for review and
expect this back this pm. Will advise as soon as I have the go ahead to release.
Regards,
James Davidson
Post Office
Fujitsu
fos
tS
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
ws Please consi¢er the environment - de you reatly need to print this email?
From: Rodric Williams [mailto:
Sent: 14 April 2014 15:59
To: Davidson James
Subject: Strictly Private & Confidential - Subject to Privilege
James,
Could Fujitsu please answer the questions below so that we can respond to a specific challenge put to us by Second
Sight in connection with a Mediation Scheme complaint, namely that:
“the Andy Winn/Alan Lusher email in the case of Ward [...] explicitly states that Fujitsu can remotely change the figures in
the branches without the SPMs’ knowledge or authority".
The Winn/Lusher email is attached. The part of the email in question is:
“Fujitsu have the ability to impact branch records via the message store but have extremely rigorous procedures in place
to prevent adjustments being made without prior authorisation - within POL and Fujitsu these controls form the core of
our court defence if we get to that stage.”
Questions:
6. Can Post Office change branch transaction data without a subpostmaster being aware of the change?
7. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change?
8. If not, where is the evidence for this conclusion?
POL-0021799
POL00025320
POL00025320
9. If so:
a) How does this happen?
b) Why was this functionality built into the system design?
c) Why would Fujitsu need to use this functionality?
d) What controls are in place to prevent the unauthorised use of this method of access?
e) When has branch data been accessed in this way in the past?
10. In relation to the Winn/Lusher email:
a) Whatis “message store"?
b) Can this be used to access and change branch records?
c) What is the "impact" of this change on branch records?
d) Would the subpostmaster be aware of this change?
e) Why would this method of access be used?
f) What controls are in place to prevent misuse of this method of access?
Please let me know if it would be easier to address these in a phone call in the first instance.
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
Cy 148 Old Street, LONDON, ECIV 9HQ
‘Postline:f
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient,
you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in
error, please contact the sender by reply email and then delete this email from your system. Any views or opinions
expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or
from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-
free.
POL-0021799
POL00025320
POL00025320
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U.
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
JOE OEIC IO ISIS ISI IIA IOI III IIIT I III AI IAI IOI AIT
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient,
you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in
error, please contact the sender by reply email and then delete this email from your system. Any views or opinions
expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
SOHO SOI SOI IOI IID IIIS IDI DOI DIT SOI II DDI ADI O DI IDIIAIIE
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited, or
from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may
be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-
free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
SRR CR RR RR RR A ARR RR SOAR RR RR ACOA RR A I CAA RGR RR ACC
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you
have received this in error, please contact the sender by reply email and then delete this email from your system.
Any views or opinions expressed within this email are solely those of the sender, unless otherwise specifically
stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials,
POL-0021799
POL00025320
POL00025320
20 Finsbury Street, London EC2Y 9AQ.
2A A HC 1 28 2 fA 2 2 1 0 RR a 0 2 a 0 a 0 Ro a
POL-0021799