POL00151049
POL00151049
From: Lesley J Sewell
Sent: Fri 30/01/2015 5:28:59 PM (UTC)
To: Mark R Davies). ~~ ;
Subject: Fwd: URGENT ACTION : Accessing Horizon
Attachment: image003.png
Attachment: image004.png
Attachment: image005.png
Attachment: image006.png
Attachment: image007.png
Attachment: image008.jpg
More detail
Lesley J Sewell
Chief Information Officer
Post Office Ltd
Sent from my iPhone
Begin forwarded message:
From: "Davidson Jai
"Kevin Lenihan"
"Mark Underwood 1"
"Newsome Pete"
Hi Kevin,
I have just seen this as was working in another mail to you which I have posted below.
Having looked again at the request from Paula, it appears that the fundamentals around this
question (remote access) are not understood. I suggest that Paula is briefed along the lines of the
following.
1) No transaction data is held locally in any branch. Transactions are completed and stored in a
central database and copies of all data is sent to a secure audit database.
2) Sub-postmasters directly manage user access and password setting locally so system access
(to create transactions) are limited to approved local personnel only who are responsible for
setting their own passwords. Users are only created following an approval process which requires
POL00151049
POL00151049
authorisation by the sub-postmaster. All subsequent transactions are recorded against the id used
to log on to the system.
3) Once a transaction has been completed, there is no functionality (by design) for transactions
to be edited or amended. Each transaction is given a unique number and ‘wrapped’ in a digital
encryption seal to protect its integrity. All transactions are then posted to a secure and segregated
audit server.
4) On approval, there is the functionality to add additional transactions which will be visible
and have a unique identifier in the audit trail. This is extremely rare and only been used once since
go live of the system in 2010 (March 2010)
5) Support staff have the ability to review event logs and monitor, in real time, the availability
of the system infrastructure as part of standard service management processes.
6) Overall system access is tightly controlled via industry standard ‘role based access’
protocols and assured independently in annual audits for ISO 27001, Ernst and Young for [AS
3402 and as part of PCI audits.
Happy to clarify any points further.
Regards,
James Davidson
Post Office
Fujitsu
Il, RG12 8SN
Web: 1 fuj m
[cid:image002.png@01CDCD78.A2445810]<http://www.facebook.com/fujitsuuk>
[cid:image003 .png@01CDCD78.A2445810]<https://twitter.com/#!/fujitsu_uk>
[cid:image004.png@01CDCD78.A2445810]<http://www.youtube.com/user/FujitsuUK>
[cid:image005.png@01CDCD78.A24458 10]<http://www.linkedin.com/company/fujitsu-uk-and-
ireland>
Fujitsu is proud to partner with
Shelter<http://www. fujitsu.com/uk/announcements/shelter/index.html>, the housing and homeless
charity
Reshaping ICT, Reshaping Business in partnership with FT.com<http://reshaping-ict.ft.com/>
P Please consider the environment - do you really need to print this email?
From: Kevin Lenihan [mailto
Sent: 30 January 2015 16:59
To: Mark Underwood1; Davidson James; Melanie Corfield
Cc: Newsome Pete; Dave Hulbert; Lesley J Sewell; Dave M King; Julie George
Subject: RE: URGENT ACTION : Accessing Horizon
POL00151049
POL00151049
Mark,
T have the bullets that James provided earlier in relation to Q2 :-
Q. "you have said this is such a vital system to the Post Office, what testing do you do and how
often? When was the last time?”
Answer:-
There is a Joint permanent test team
Permanent test facilities are in place
In constant use to test enhancements and maintenance releases (software upgrades,
patching etc)
All code regression tested to ensure stability of the environment
All change approved formally by change process
Processes (change, release etc) audited annually by Ernst and Young as part of IAS 3402
standard
All access and system segregation, security audited by external PCI auditors for PCI
accreditation
Consequently system stability is high and availability has run consistently above target over
many years
I suggest that any words in association to the above are primarily to make the above flow, and
they are the facts. I am happy to reconstruct the above into sentences but don’t want to dilute
the facts provided.
I propose that we provide Mel with the answer to Q.1) as you have stated below (I have already
agreed that content with Dave King, Info. Security. AND the bullets provided by James to Q2.
so that the final article is crafted by a Comms expert.
Mel / James / Mark — are you all okay with this or do you need me to do anything else ?
Thanks,
Kevin
Kevin Lenihan I Senior Information Services Manager
2nd Floor, 148 Old Street, London EC1V 9HQ
From: Mark Underwood1
Sent: 30 January 2015 15:50
To: Davidson James
Ce: Kevin Lenihan
POL00151049
POL00151049
Subject: RE: URGENT ACTION : Accessing Horizon
Hi Kevin my proposed answer to the first question below (it can be sent in its entirety to Mel and
she can pick and choose). Though this will need to be signed off by James as accurate.
In terms of the second question, I cannot find anything on the testing carried out. It could very
well have been sent to one of my predecessors but I cannot find it anywhere. James are you able
to put something together based upon the email you sent Kevin?
Mark
In terms of QI
This question often phrased by Applicants and Second Sight is:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second Sight
and Applicants. It refers generically to "Horizon" but more particularly is about the transaction
data recorded by Horizon. Also, the word "access" means the ability to read transaction data
without editing it — Post Office / Fujitsu has always been able to access transaction data however
it is the alleged capacity of Post Office / Fujitsu to edit transaction data that appears to be of
concern. Finally, it has always been known that Post Office can post additional, correcting
transactions to a branch's accounts but only in ways that are visible to Subpostmasters (i.e.
Transaction Corrections and Transaction Acknowledgements) — it is the potential for any hidden
method of editing data that is of concern.
Can Post Office or Fujitsu edit transaction data without the knowledge of a Subpostmaster?”
Post Office confirms that neither it nor Fujitsu can edit transaction data without the knowledge of
a Subpostmaster.
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit, manipulate
or remove a transaction once it has been recorded in a branch's accounts.
The following safeguards are in place to prevent such occurrences:
Transmission of baskets of transaction data between Horizon terminals in branches
and the Post Office data centre is cryptographically protected through the use of digital
signatures.
Baskets must net to nil before transmission. This means that the total value of the
basket i is nil and therefore the correct amount of payments, goods and services has been recorded
in the basket. Baskets that do not net to nil will be rejected by the Horizon terminal before
transmission to the Post Office data centre.
Baskets of transactions are either recorded in full or discarded in full — no partial
baskets can be recorded to the Audit Store.
All baskets are given sequential numbers (known as Journal Sequence Numbers or
JSNs) when sent from a Horizon terminal. This allows Horizon to run a check at the Data Centre
for missing baskets (which triggers a recovery process) or additional baskets that would cause
duplicate numbers (which would trigger an exception error report to Post Office / Fujitsu).
: All transaction data in the Audit Store is digitally sealed — these seals would show
evidence of tampering if anyone, either inadvertently, intentionally or maliciously, tried to change
POL00151049
POL00151049
the data within a sealed record.
Automated daily checks are undertaken on JSNs (looking for missing / duplicate
baskets) and on the digital seals (looking for evidence of tampering).
From: Davidson James
Sent: 30 January 2015 1-45
To: Mark Underwood1
Ce: Kevin Lenihan
Subject: FW: URGENT ACTION : Accessing Horizon
James Davidson
Post Office
Fujitsu
Lovelace Road, Bracknell, RG12 8SN
Mob:
Email: james.davidsont
Web: http://uk.fujitsu.com
[cid:image002.png@01CDCD78.A2445810]<http://
www.facebook.com/fujitsuuk>
[cid:image003.png@01CDCD78.A2445810]<https://twitter.com/#!/fujitsu_uk>
[cid:image004.png@01CDCD78.A2445810]<http://www.youtube.com/user/FujitsuUK>
[cid:image005.png@01CDCD78.A24458 10]<http://www.linkedin.com/company/fujitsu-uk-and-
ireland>
Fujitsu is proud to partner with
Shelter<http://www. fujitsu.com/uk/announcements/shelter/index.html>, the housing and homeless
charity
Reshaping ICT, Reshaping Business in partnership with FT.com<http://reshaping-ict.ft.com/>
P Please consider the environment - do you really need to print this email?
Mark,
As discussed, can you hook up with Kevin to review what answers have already been provided to
second sight as this should form the Post Office response.
Thanks,
James.
From: Kevin Lenihan }_
Sent: 30 January 2015 09:28
To: Newsome Pete
Subject: URGENT ACTION : Accessing Horizon
Pete,
My phone call earlier today refers.
POL00151049
POL00151049
I need some urgent information as per Paula’s note please. Apologies if you’ve had this before
but I’m not aware of the history on this — just point me in the direction of who has that answer
and Pll pursue accordingly.
Cheers,
Kevin
Kevin Lenihan I Senior Information Services Manager
Old Street, London EC1V 9HQ
snihant
[Footer 5]
From: Paula Vennells
<paula.vennellg,
To: Mark R Davi
Lesley J Sewell
Subject: Urgent:
Dear both, your help please in answers and in phrasing those answers, in prep for the SC:
1) "is it possible to access the system remotely? We are told it is."
What is the true answer? I hope it is that we know this is not possible and that we are able to
explain why that is. I need to say no it is not possible and that we are sure of this because of xxx
and that we know this because we have had the system assured.
2) "you have said this is such a vital system to the Post Office, what testing do you do and how
often? When was the last time?
Lesley, I need the facts on these - I know we have discussed before but I haven't got the answer
front of mind - too many facts to hold in my head! But this is an important one and I want to be
sure I do have it. And then Mark, to phrase the facts into answers, plus a line to take the
conversation back up a level - ie., to one of our narrative boxes/rocks.
Thanks, Paula
Paula Vennells
Chief Executive
Post Office Ltd
T:
Paula.vennells(
Sent from my iPad
2B CE Rf KR A RR FI FR ERR FICK 2 FAR 2K 2 FAR oR FOR a oo aa
This email and any attachments are confidential and intended for the addressee only. If you are
not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of
this communication. If you have received this in error, please contact the sender by reply email
and then delete this email from your system. Any views or opinions expressed within this email
POL00151049
POL00151049
are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148
OLD STREET, LONDON EC1V 9HQ.
2A C2229 29 FR 2B FRR FI FRR FI 2 FAR 0K 8 FAR oR CCG oR FOR OR CAC oR Ca
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu
(FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of
confidence and may be privileged. Fujitsu does not guarantee that this email has not been
intercepted and amended or that it is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street,
London W1U 3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street,
London W1U 3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office
Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office
Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU.
2 RR RR RR FR RRR SRR FRR A 2K RF RR RAK Rf RRR aS a a aE
This email and any attachments are confidential and intended for the addressee only. If you are
not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of
this communication. If you have received this in error, please contact the sender by reply email
and then delete this email from your system. Any views or opinions expressed within this email
are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148
OLD STREET, LONDON EC1V 9HQ.
2A ACR 29 AR RR ARR FRR A 2 FAR F228 FARR AR ROR GR Cao aa
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu
(FTS) Limited, or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of
confidence and may be privileged. Fujitsu does not guarantee that this email has not been
intercepted and amended or that it is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street,
London W1U 3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street,
London W1U 3BW.
POL00151049
POL00151049
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office
Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office
Solihull Parkway, Birmingham Business Park, Birmingham, B37 7YU.