a>
aw
POL00029791
POL00029791
Strictly confidential, commercially sensitive and legally privileged draft
Initial Complaint Review and Mediation Scheme
Horizon Data
Issue
Second Sight has asked:
“Can Post Office or Fujitsu edit transaction data without the knowledge of a
Subpostmaster?”
I el
This question is often phrased by Applicants as:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second
Sight and Applicants. It refers generically to "Horizon" but more particularly is about the
transaction data recorded by Horizon. Also, the word "access" means the ability to read
transaction data without editing it - Post Office / Fujitsu has always been able to access
transaction data however it is the alleged capacity of Post Office / Fujitsu to edit transaction
data that appears to be of concern. Finally,it,has always been known that Post Office can
1 I remotely-affect.a-post additional, correcting transactions to a branch's accounts in ways that
are visible to Subpostmasters (ie. Transaction Corrections and Transaction
Acknowledgements) — it is the potential for any hidden method of editing data that is of
concern.
In light of these issues, Second Sight and Post Office have therefore agreed the above
reformulation of the question tobe addressed.
In summary, Post Office confirms that neither it nor Fujitsu can edit transaction data without
the knowledge of a Subpostmaster.
This document
This document provides a generic response to the general question posed above. It is noted
that, as yet, Second Sight has not presented Post Office with a specific evidenced example of
2,3 I a data irregularities or anomalies that may suggest data integrity issues. where-Post Office-or
Fuiitsu-h: dited-t tion-data-_without the-k Subpostmast
po:
ledge-of
ge :
Nevertheless, Post Office is prepared to investigate any-suspected—incidents alleged by
claimants as part of the mediation process _ of this-nature providing that is clearly identified (by
at least the date, and preferably also the approximate time ) in an Applicant's Case
Questionnaire Response.
This document has been prepared with the assistance of Fujitsu and the Post Office IT&C.
Team. Both have approved this document as being accurate.
Response
°
10
POL00029791
POL00029791
Strictly confidential, commercially sensitive and legally privileged draft
In simple terms:
° Transactions are recorded in branches by Subpostmasters and their staff.
. The transaction data is transmitted from a branch Horizon terminal to the Post Office
data centre.
. At the data centre, the transaction data is stored on a secured server called the Audit
Store.
[ou
. The transaction data in the Audit Store is what is considered to be athe source for
"branch's accounts".
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit,
manipulate or remove—aremove a transaction once it has been recorded in a branch's
accounts.
The following safeguards are—inare in place to prevent such occurrences:
. Transmission of baskets of transaction data between Horizon terminals in branches
and the Post Office data centre is encrypted.
. Transmission of baskets of transaction data between-Horizon terminals in branches
and the Post Office data centre cryptographically protected through the use of digital
signatures.
. Baskets must net to nil before transmission. Thismeans that the total value of the
basket is nil and therefore the correct amount of payments, goods and services has
been recorded in the basket:»Baskets that do not net to nil will be rejected by the
Horizon terminal before transmission to the Post Office data centre.
. Baskets of transactions are either recorded in full or discarded in full — no partial
baskets can be recorded to the Audit Store.
. All baskets are given sequential numbers (known as Journal Sequence Numbers or
JSNs) when sent from a Horizon terminal. This allows Horizon to run a check at the
Data Centre for missing baskets (which triggers a recovery process) or additional
baskets that would cause duplicate numbers (which would trigger an exception error
report to Post Office / Fujitsu).
. All transaction data in the Audit Store is digitally sealed — these seals would show
evidence of tampering if anyone, either inadvertently, intentionally or maliciously, tried
to change the data within a sealed record.
. Automated daily checks are undertaken on JSNs (looking for missing / duplicate
baskets) and on the digital seals (looking for evidence of tampering).
Questions for FJ:
POL00029791
POL00029791
Page 2 Comments
GT1
DJ2
DJ3
GT4
I think it is important to distinguish between audit data which is a raw list of detailed
transactions and the branch’s accounts. The logic is that the branch’s accounts are
derived from the transactions; all transactions must be accurately accounted for.
Godeseth Torstein, 04/12/2014 02:30 PM
This should be removed as the next paragraph summarises the protection in place and
is more accurate in relation to the question of data integrity
Davidson James, 05/12/2014 11:55 AM
The system has been designed so that transaction data cannot be edited, only new
transactions added via standard operating processes. All access to systems are logged
and access is segregated following ISO27001 principles (this is audited annually).
Davidson James, 05/12/2014 11:57 AM
Again essentially yes. It would be possible for us to retrieve data from the audit store
without doing these checks, but if the data is being used in support of a prosecution or
such like then these checks are always made.
Godeseth Torstein, 04/12/2014 02:48 PM
POL00029791
POL00029791
Strictly confidential, commercially sensitive and legally privileged draft
Although once recorded a transaction cannot be edited or deleted, transactions (including
negative transactions) can be added to a branch's accounts in the following ways only:
Are the three ways below, the only ways to affect a branch's accounts?
1 In branch
Branch staff record additional transactions during their normal daily use of Horizon. So
long as they are logging on with their own unique User ID and not sharing User IDs
and passwords within a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post Office or Fujitsu to log on
to a branch terminal of Horizon remotely in order to edit transactions recorded by
Branch staff branch's . It is possible for Fujitsu to log on remotely to a branch in order
to provide support and conduct maintenance but this does not allow access to any
functionality that could be used edit branch data.
i
There is:the capability for Post Office employees to log on to a branch terminal locally
(i.e. by being physically in a branch) using a new User ID and password and then
conduct transactions. This would only be done in special circumstances (such as
when defunding)a branch following a branch closure). Any transactions conducted
would be recorded against that new User ID and not against the User ID of any branch
staff.
is)
TAs and TCs
Post Office can send transaction acknowledgements (TA) or transaction corrections
(TC) to branches. TAs are used to record transactions that have been processed in
branch through other systems (eg. the sale of Lottery products on the Camelot
terminal) and TCs to correct errors made by branches.
POL00029791
POL00029791
Page 3 Comments
GT5 The system is designed to allow logon only from the branch. We can see a branch’s
data from the centre, but this does not imply that we ‘log on’ to the branch.
Godeseth Torstein, 04/12/2014 02:52 PM
20
21
POL00029791
POL00029791
Strictly confidential, commercially sensitive and legally privileged draft
Both TAs and TCs need to be accepted by a user logged into the branch Horizon
terminal before they are recorded in the branch accounts. They are therefore fully
visible to each branch.
3 Balancing Transactions
Fujitsu (but not Post Office) can manually inject a new transaction into a branch's
accounts using the Balancing Transaction Process. This process is used in the event
of an accounting error that cannot be corrected by use of a TA or TC and it is in
accordance with good industry practice to have functionality of this nature in a system
like Horizon.
© Does the BT affect the branch's end of trading period balance?
The use of this process is strictly controlled by Post Office. For a transaction to be
manually injected:
Dui0
°
These access controls meet industry good practice standards and are audited under
1SO27001 and by LINK (the industry body for ATMs) and PCI (card payment
compliance).
Injected Balancing Transactions are visible in the branch's accounts and so the
injected transaction will be visible to a Subpostmaster. The transaction is also
attributed to a unique transaction ID used only for these type of transactions. It is not
recorded against the User ID of any member of branch staff.
aN
Page 4 Comments
POL00029791
POL00029791
DJ6
DJ7
DJ8
DJ9
DJ10
Note — it is not possible to edit existing transaction / basket data as detailed earlier.
Davidson James, 08/12/2014 03:54 PM
These are new transactions with unique jsn’s and identifiers
Davidson James, 08/12/2014 03:55 PM
Note — there are no records held on a branch terminal.
Davidson James, 08/12/2014 03:53 PM
See details of incident in March 2010 for details on how this process works
Davidson James, 08/12/2014 03:56 PM
Same as above
Davidson James, 08/12/2014 03:56 PM
POL00029791
POL00029791
Strictly confidential, commercially sensitive and legally privileged draft
°
This process is materially the same for Horizon and Horizon Online.
This use of Balancing Transactions is incredibly rare. Within the Audit Store is an audit
log that automatically records any use of Balancing Transactions. This log shows that
a Balancing Transaction has only be used once in the last 7,years (being the retention
period for the log). A Balancing Transaction was injected on 3,March 2010 and only
affected one branch (FAD code: 226542 - which is.not a branch under review in the
Scheme).
Post Office Limited
POL00029791
POL00029791
Page 5 Comments
DJ11 See incident in March 2010 for details
Davidson James, 08/12/2014 03:57 PM
Track Changes
4
© MN DH RW ND
NN Be ea ae a aw aw an aw ow a
32-6 0© ®@NOaAR DN FO
Change
Delete
Change
Delete
Insert
Delete
Insert
Change
Change
Change
Insert
Insert
Insert
Insert
Insert
Insert
Insert
Insert
Insert
Insert
Insert
Davidson James, 08/12/2014 08:25 AM
Davidson James, 08/12/2014 08:21 AM
Davidson James, 08/12/2014 08:22 AM
Davidson James, 08/12/2014 08:22 AM
Davidson James, 08/12/2014 08:23 AM
Davidson James, 08/12/2014 08:24 AM
Davidson James, 08/12/2014 08:24 AM
Godeseth Torstein, 04/12/2014 02:29 PM
Davidson James, 05/12/2014 11:44 AM
Davidson James, 05/12/2014 11:44 AM
Godeseth Torstein, 04/12/2014 02:45 PM
Godeseth Torstein, 04/12/2014 02:54 PM
Godeseth Torstein, 04/12/2014 03:11 PM
Godeseth Torstein, 04/12/2014 03:11 PM
Godeseth Torstein, 04/12/2014 03:09 PM
Davidson James, 05/12/2014 12:08 PM
Godeseth Torstein, 04/12/2014 03:10 PM
Davidson James, 08/12/2014 08:33 AM
Godeseth Torstein, 04/12/2014 03:14 PM
Godeseth Torstein, 04/12/2014 03:18 PM
Godeseth Torstein, 04/12/2014 03:14 PM
POL00029791
POL00029791