POL00030155
POL00030155
Message
From: Rob Houghton, _. ‘GRO _. .
on behalf of I Rob Houghto!
Sent: 21/05/2019
To: Julie Thomas ‘Michael Passmore
cc: ‘oe Brauer
Subject: RE: Global user access issue
For clarification — has this been done now?
e I’ve spoken to Fujitsu and have a list of all admin users ( Pol people) and
engineers and when they last logged on . This will give the auditor the clarification
that whilst there may have been names on the list who have left the Business, we
can demonstrate that they have not logged onto an Horizon kit since they left.
Are we confident that whilst the controls have been ineffectively managed that there has been no breach or usage. Echo
Micheals point that even if they did get on — what could happen?
Can we also state how many users we’re talking about and whether those that are still in employment need that access
(and if they don’t whether they’ve used it).
I think there will be a collective sigh (despite the controls issue) if we can demonstrate before the ARC that there has
been no exposure.
R
From: Julie Thoma:
Sent: 21 May 2019 0:
To: Rob Houghton
GRO.
Michael Passmore
Kim Abbotts
ve now received a full update from Kendra Dickenson in the Branch Support Centre team.
The work to give global user access to Trainers and Auditors was as part of HNGX and it saved the field teams needing to
get temp passwords set up per audit or training intervention, so operationally, it’s a good thing. When first introduced,
NBSC simply managed the requests which were actioned by FJ, but the ability to set up access transferred to NBSC last
summer from FJ as an IT project.
i don’t believe proper JML controls were put in place as part of the handover and therefore we need to clean up the user
list and then implement appropriate controls going forward.
Kendra now has a number of immediate actions:
e Iwill arrange to sanitise the list based on those we know have left the Business.
e Rebecca is speaking to Computacenter to understand how they can ensure the list
of engineers is brought up to date and is monitored moving forward.
« I’ve spoken to Fujitsu and have a list of all admin users ( Pol people) and
engineers and when they last logged on . This will give the auditor the clarification
POL-0026637
POL00030155
POL00030155
that whilst there may have been names on the list who have left the Business, we
can demonstrate that they have not logged onto an Horizon kit since they left.
e We will review this list against those names who have left the business and
provide the final version to Rebecca and Joy who will then update from what they
have via Computacenter and HR leavers.
\ trust this answers the questions, but please feel free to pick up directly with Kendra for any follow up questions or
further information as she is owning this on my behalf.
Kind regards,
Julie
& Julie Thomas
Operations Director
Post Office Ltd
Finsbury Dials.
London
EC2Y 9AQ
Advance notice of leave: 11 ~ 26 June incl.
From: Rob Houghton
Sent: 16 May 2019 21:33
To: Ben Foat; Michael Passmore; Mick Mitchell; Julie Thomas
Cc: Rodric Williams; Kenneth Garvey; Zoe Brauer
Subject: Re: Global user access issue
Checking in on this. Have we got the answers yet or know when we will - conscious of the upcoming audit
committee?
R
From: Ben Foat
Sent: 14 May 2019 16:32
To: Michael Passmore; Rob Houghton; Mick Mitchell; Julie Thomas
Ce: Rodric Williams; Kenneth Garvey; Zoe Brauer
Subject: RE: Global user access issue
Thanks Michael
In order to answer the question, we need to know:
- what access and the rights permissions the user(s) had which they shouldn't have
what system are they accessing and what could they do (ie delete, amend, etc).
At a high level, the horizon system captures the transaction data from counters to the data centre to the Audit Store.
This is the horizon system (which is subject to the appeal). The GLO considers whether there are coding or rule breaches
that undermine the credibility of the system itself or is it the operating procedures of Fujitsu etc or indeed there is no
issue at all.
POL-0026637
POL00030155
POL00030155
What we need to find out is whether the inappropriate accessing of the information relates to the horizon system (live
environment} or rather just the data centre which produces various reports and data feeds which is utilised by various
parts of the business. Depending on that then we can hopefully rule out GLO issues but the remaining JLM etc incident
remains and needs to be remediated.
As an aside, I understand that Deloitte looked at this several years ago and I don’t think it was raised with the general
process but the above questions should be answered.
I hope that helps. I’ve copied in Rod and Ken in my team who can support.
Zoe- just FY!
Kind regards
Ben
® Ben Foat
Legal Director
Ground Floor
20 Finsbury
Street
LONDON
EC2Y 9AQ
Highly
Commended for Mobile
“Excellence In-
house’ at the Law
Society
Excellence
Awards 2018
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient, you must
not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in error, please contact
the sender by reply email and then delete this email from your system. Any views or opinions expressed within this email are solely
those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20 Finsbury Street, London,
EC2Y 9AQ.
From: Michael Passmore
Sent: 14 May 2019 15:56
“} Mick Mitchell
“Ce: Ben Foa
Subject: Re
Looping in Ben.
Al has asked if this is a GLO impacting issue.
Finance Director, Post Office Limited
POL-0026637
POL00030155
POL00030155
From: Rob Houghton }
Sent: Tuesday, May 14, 2019 2:29 pm
To: Mick Mitchell; Julie Thomas
Cc: Michael Passmore
Subject: Fwd: Global user access issue
Folks - scroll to the bottom. This will be reported into the arc and will get a lot of heat and light because the jml
issue always causes concern and this potentially demonstrating we don't have the right controls in place. So
three things that hit me:
1) Let's urgently close down any outstanding issues with people that have left and still have access... Who's
responsibility?
2) What's gone wrong? what control issues do we have? Need to get ahead of this before the arc
3) How do we give comfort to the arc that we are in control on jml given this.
Is it your guys?
Rob
Get Outlook for Android
From: Rob Houghton
Sent: Tuesday, 14 May, 10:36
Subject: RE: Global user access issue
To: Rebecca Barker
Are they aware?
From: Rebecca Barker}
Sent: 14 May 2019 10:36
To: Rob Houghton I
Subject: RE: Global user access issue
Julie Thomas area
POL-0026637
POL00030155
POL00030155
POST \
Rebecca Barker
Head of IT & Digital Risk
Legal Risk & Governance
No.1 Future Walk
Chesterfield
$49 1PF
From: Rob Houghton
Sent: 14 May 2019 10:04
To: Rebecca Barker!
Subject: RE: Global user access issue
Who do they work for?
From: Rebecca Bark
Sent: 13 May 2019 17:58
To: Somita Yogi!
GRO
Catherine Hamilton Michael Passmore
POL-0026637
POL00030155
POL00030155
Ce: Tom Lee I.
Subject: RE: Global user access issue
Hi Michael
The global user access process is managed by Shaun Turner/Kendra Dickinson’s teams
Regards
OFFICE
Rebecca Barker
Head of IT & Digital Risk
Legal Risk & Governance
No.1 Future Walk
Chesterfield
S49 1PF
From: Somita Yogi
Sent: 13 May 2019 17:48
POL-0026637
POL00030155
POL00030155
Subject: Re: Global user access issue
Hi Michael,
Thanks for your email and please clarify which system is itas DCoE team looks after CFS, BI, SF etc though
not after Horizon , CDP etc.
Many thanks,
Somita Yogi
Director of MI, Data Strategy and Analytics
From: Michael Passmore
Sent: Monday 13 May, 17:40
Subject: FW: Global user access issue
To: Rob Houghton, Catherine Hamilton
Cc: Rebecca Barker, Tom Lee, Somita Yogi
Hi both,
Are you aware of the below? Not picked up by EY previously; feels like this should be managed in the MI team
(which doesn’t stop the audit issue point that will be raised).
Not great...
Micheal
Micheal Passmore
POL-0026637
Finance Director, Post Office Ltd
1st Floor,
20 Finsbury Street,
London EC2Y 9AQ
Mob:
From: Tom Lee
Sent: 13 May 2019 17:38
To: Michael Passmore
Subject: FW: Global user access issue
From: Rebecca Barker
Sent: 10 May 2019 13:29
To: Tom Lee
Subject: RE: Global user access issue
Hi tom
At the moment all I know is:
POL00030155
POL00030155
PWC met with Jane Smith from the branch management team in NBSC, Janes team manage the Global User
access process.
POL-0026637
POL00030155
POL00030155
I believe they have a list of users that are active, but when PWC asked if that person is still in employment with
the business the search on active directory (email) confirmed that the person is no longer with the business, so
potentially they could still access the system in branch if the fraudulently gained access.
This means there is gap in the process, so the active directory process is in place to close items down, but
there doesn’t appear to be a process to close down all accounts associated with that person... I don’t know
who owns that process at this stage etc etc
Regards
OFFICE
Rebecca Barker
Head of IT & Digital Risk
Legal Risk & Governance
No.1 Future Walk
Chesterfield
S49 1PF
POL-0026637
POL00030155
POL00030155
From: Tom Lee
Sent: 10 May 2019 1
To: Rebecca Barke'
Subject: Global user access issue
Hi,
Please can you give me some more details on the issue that was raised on the global user access point? I’ve
got an update call with PWC at 3pm and they are likely to want to chat through. Ideally if I can know who this
impacts and to what extent that would be great.
Thanks,
Tom
POL-0026637