POL00031346
POL00031346
Horizon Spot Review 5 — Response
Bracknell Site & Centrally Input Transactions
1. Summary
An assertion has been made by a Mr Michael Rudkin that during a stated visit to the Fujitsu Bracknell
site on Tuesday 19" August 2008, he observed an individual based in the basement of the building
and who demonstrated the ability to access ‘live’ branch data and directly adjust transactions on the
Horizon system.
2. Response: The Bracknell Site Set-Up In 2008
In 2008 Post Office Limited (POL) occupied two areas of the Fujitsu building in Bracknell.
The first was a test environment on the first floor, in room 175. There were around 30 Horizon
counter terminals within the room. 10 counters were used to test Horizon on a test environment
called BTC7, the data centre elements of which were housed in the basement area of the building.
The remaining 20 counters were for a HNG test environment called RV-ACC, the data centre
elements of this were housed in IRE19 (Belfast). The HNG element was not operational in 2008.
Also contained within this room were desks for the Horizon test team. It was a secure area, with only
POL and nominated reps from Fujitsu having access to Room 175.
The second area was a test environment based in the building basement. In August 2008 there were
4 separate test environments set up in this area;
© BTC1 & BTC3 : These two test environments were used for functional testing of changes
being made to Horizon at that time, e.g. the introduction of MoneyGram.
¢ V&lI: The Horizon Volume test environment
@ REL: The Horizon release test environment (where deployment of software packages were
tested)
Along with these environments, preparation activities were underway in the basement to build a
volume and release environment for HNG, however, as previously stated, this environment would
not have been in a working state at the time of Mr Rudkin’s stated visit. POL had access to the
functional test environment.
Fujitsu controlled the Volume and Release environments. Their focus was not counter functionality;
they were designed to provide performance capability and software deployment to the data centre
platforms rather than counter.
The key point here is the phrase ‘test environment’. In August 2008, the live Horizon Data Centre
was dual-located in Wigan and Bootle. Access to this site was strictly controlled and the capability
would not have existed to hook up a PC and interfere with transaction databases. To create a test
environment in Horizon days, there was a physically build of a set of servers that represented the
live configuration in Wigan/Bootle. These servers were hosted in the basement in Bracknell, along
with test counters to connect to them. Access to the test environments then (and which remains the
POL00031346
POL00031346
case now) was controlled via secure rooms, and user logon authentication. However, as a test
environment, there would have been terminals where interrogation of databases would have been
possible. But, this would have been interrogation of the test databases, as there was complete
physical separation between test and live.
For perspective, there is live access available at Bracknell as there would have been in 2008.
However, this access is available only to Fujitsu’s SSC (System Support Centre) team, who provide
expert support to helpdesk staff. They are based on the 6" floor, which is the most secure floor in
Bracknell. Visitors are by appointment only and are not allowed to be unattended at any time. The
SSC team follow strict protocols relating to access and interrogation of live data, and their access is
logged and auditable. There is no access to SSC systems from the basement area.
3. Response: Post Office Confirmation/Corroboration of Mr Rudkin’s Visit
Post Office have made a concerted attempt to corroborate Mr Rudkin’s stated visit and purpose
through existing records held for that date and POL projects being managed during that time in
2008. The intention here has been to try and verify Mr Rudkin’s statement through identification of
the individual(s) who came into contact with him during his visit.
It is worth noting that Mr Rudkin states that he was unaccompanied when visiting Bracknell and
cannot remember the name of the individual who greeted him on site and escorted him through to.
the basement (test environment) area during his visit. We have additionally attempted to establish
the Bracknell visitor logs for the stated the date to verify Mr Rudkin’s attendance and his contact on
the day, however Fujitsu have confirmed that these records are not retained for as far back as 2008.
Fujitsu have additionally made the effort go through all email, documents and archived information
to hand but do not have any information for Tuesday 19** August 2008 that would suggest they had
visitors to the site.
Mr Rudkin states that the intention for his visit to the Bracknell site on that day was for ‘bureau de
change automation’ . We have looked at the Horizon test plan for 2008 and the only subject related
project that was scheduled for transaction testing at that time was the Bureau Pre-Order
Automation project. Minutes from meetings for June and July 2008 for that project mention an
action to set up a Bracknell site visit for ‘FED’ to view the test transactions on the 19 August 2008.
Logic would suggest that the intention to hold this test session for the project on that day correlates
with Mr Rudkin’s stated visit. However, a number of individuals listed as being involved in the
project — including the Bureau product manager and assigned business analyst - have no recollection
of either the formal visit having taken place or recognition of Mr Rudkin as an invited individual to
the Bracknell site. One of the individuals spoken to was in post as the test manager assigned to the
project. Having searched his Lotus Notes time records, he has managed to confirm that he was
working in Bracknell on Tuesday 19 August 2008, however he also has no recollection of Mr Rudkin
or a related visit to the test environment on that day.
Further investigation into the Lotus Notes records of the test team in Bracknell states that there
were just three POL test managers present on site in Bracknell on the 19 August 2008. None of them
have any calendar records relating to a visit by Mr Rudkin. The account provided by Mr Rudkin
POL00031346
POL00031346
suggests that he came across at least five individuals on his journey from the first floor in Bracknell
into the basement area.
Mr Rudkin’s account of the journey he took with his building contact; from reception to upstairs and
then down through security doors and down a stairwell to gain access to the basement, is a correct
analogy of the structural layout in the building. He could conceivably have been taken up to room
175 on the first floor and then down to the basement area, however it is unclear what the reasons
were for taking him to the first floor or what subject matter was discussed with, or explained to, him
during his route.
Our conclusion is that although we are unable to completely verify Mr Rudkin’s Bracknell visit on the
Tuesday 19** August 2008, we are equally unable to disprove that it took place at all.
4. Response: Alleged Comments
Mr Rudkin mentions that he heard the basement test environment being referred to as the ‘covert
operations’ room. There is no evidence to suggest that this was ever a term used to describe the
basement area and none of the test team questioned have heard of the phrase even in a joking
context.
Mr Rudkin additionally mentions that whilst in the basement area he evidenced access to the live
Horizon system. This would not have been the case as the test environment was an independently
built environment from the live production system — as explained under point 2 above. It is possible
that Mr Rudkin did not fully understand the functions of the test environment that he visited and
made certain assumptions regarding what he saw and heard.
5. Response: Further Specific Questions From Second Sight Regarding Input Transactions
Question 1:
What capabilities did the POL Bracknell team have? (As far as TC or Rem Out type transactions or
Journal adjustments are concerned).
Response:
The POL Bracknell Team had no access to the live system therefore could not conduct any of these
transactions.
Question 2:
What were the PHYSICAL or LOGICAL controls over their use of the systems available to them?
Response:
There was no Physical or Logical connection to the live system from the areas in Bracknell being
discussed/ investigated. Detailed documentation has been supplied of the testing processes and
procedures recently audited and the design documents to support this position.
POL00031346
POL00031346
Question 3:
What audit trail is available to show the extent that they posted TC or Rem Out type transactions, or
Journal adjustments?
Response:
When any transactions are posted to the database they are contained in the audit trail. As both the
original Horizon and replacement HNGx test systems were available to the test teams in that period
the test area and the test data is often refreshed and changed it would not be possible to identify
any transactions from this period in the test system. Specifically we do not keep audits of test
systems, only the Live system. As stated in response to question 1, the teams in the area of Bracknell
concerned would have no access to the live system.
Question 4:
Can we reply of the COMPLETENESS of the audit trail? i.e. does it record all transactions or just
transactions meeting certain criteria? Is it protected from user manipulation?
Response:
The detailed answer to this is included in two papers Horizon Data Integrity and Horizon Online Data
Integrity for Post Office Ltd which have been presented as evidence in a number of previous court
cases.
Question 5:
What USER ID was used if TC type transactions or journal adjustments were posted?
Response:
On the old Horizon System (which was Live in 2008) and Data introduced to the system in the Data
Centre would not be marked with any user ID.
Question 6:
Could the POL Bracknell team log on with either super user or SMPR credentials?
Response:
Not into the live system for reasons already outlined.
Question 7:
How would TC, Rem Out or Journal Adjustment type transactions executed by the POL Bracknell
team be seen by SPMR of Branches affected by those actions?
Response:
The PO Bracknell team did not have access to the live system.
POL00031346
POL00031346
The process described in the Operations manual refers to changes that were made to the old
Horizon system in 2004 or 2005 relating to Auto Rems and TCs which were introduced at that time
as part of the IMPACT Programme. Auto Rems meant that POL send Horizon a data feed defining
the content of Cash pouches and so as soon as the Branch scans in the pouch that value of cash is
added into their accounts (and a receipt printed). Before that they had to key in the amount and this
caused a number of issues with incorrect amounts being keyed.
However as with TCs the SPMR (or a member of staff) would be responsible for the transaction and
it would be recorded against their name.
Prior to this, Error Notices were sent to Branches which were often months after the errors occurred
and staff were expected to carry out appropriate transactions at the branch. TCs automated this
process and speeded it up. Product & Branch Accounting (P&BA) - recently re-named Finance
Service Centre (FSA) - have never had access to adjust client accounts on site through Horizon.