POL00212054
POL00212054
Strictly confidential, commercially sensitive and legally privileged draft
Initial Complaint Review and Mediation Scheme
Horizon Data
Issue
Second Sight has asked:
Can Post Office or Fujitsu edit transaction data without the knowledge of a
Subpostmaster?
WORDING OF QUESTION TO BE CONFIRMED WITH SS BUT THIS WOULD BE A
PREFERRED FORMULATION
This question is often phrased by Applicants as:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second
Sight and Applicants. It refers generically to "Horizon" but more particularly is about the
transaction data recorded by Horizon. Also, the word "access" means the ability to read
transaction data without editing it - Post Office has always been able to access transaction
data however it is the alleged capacity of Post Office to edit transaction data that appears to
be of concern. Finally, it has always been known that Post Office can remotely affect a
branch's accounts in ways that are visible to Subpostmasters (ie, Transaction Corrections and
Transaction Acknowledgements) - it is any hidden method of editing data that is of concern.
In light of these issues, Second Sight.and Post Office have therefore agreed the above
reformulation of the question to be addressed.
In summary, Post Office confirms that neither it nor Fujitsu can edit transaction data without
the knowledge of a Subpostmaster.
This document
This document provides a generic response to the general question posed above. It is noted
that, as yet, Second Sight,has not presented Post Office with a specific example of a
“remotely generated transaction". For the reasons stated below, it would be surprising if such
a transaction was raised as part of the Scheme. Nevertheless, Post Office is prepared to
investigate any suspected transaction of this nature that is clearly identified (by at least the
date, and preferably also the approximate time, of the transaction ) in an Applicant's Case
Questionnaire Response.
This document has been prepared with the assistance of Fujitsu and the Post Office IT&C.
Team. Both have approved this document as being accurate.
Response
In simple terms:
. Transactions are recorded in branches by Subpostmasters and their staff.
POL00212054
POL00212054
Strictly confidential, commercially sensitive and legally privileged draft
. The transaction data is transmitted from a branch Horizon terminal to the Post Office
data centre.
. At the data centre, the transaction data is stored on a secured server called the Audit
Store.
. The transaction data in the Audit Store is what is considered to be a "branch's
accounts".
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit (ie. delete
or alter) a transaction recorded in a branch's accounts.
Safeguards are also in place to ensure that no transactions are lost, altered or improperly
added to a branch's accounts:
. Transmission of baskets of transaction data between Horizon terminals in branches
and the Post Office data centre is encrypted.
. Baskets must net to nil before transmission. This means that the total value of the
basket is nil and therefore the correct amount of. payments, goods and services has
been recorded in the basket. Baskets that donot net to nil will be rejected by the
Horizon terminal before transmission to the Post, Office data centre.
. Baskets of transactions are either recorded in full or discarded in full — no partial
baskets can be recorded to the Audit Store.
. All baskets are given sequential numbers (known’as Journal Sequence Numbers or
JSNs) when sent from a Horizon terminal. This allows Horizon to run a check at the
Data Centre for missing baskets (which triggers a recovery process) or additional
baskets that would cause duplicate numbers (which would trigger an exception error
report to Post Office / Fujitsu).
° All transaction data in the Audit Store is digitally sealed — these seals would show
evidence of tampering, if anyone, either inadvertently, intentionally or maliciously, tried
to change the data within a sealed record.
. Automated daily checks are undertaken on JSNs (looking for missing / duplicate
baskets) and on the digital seals (looking for evidence of tampering).
Questions for FJ:
. Is it correct to say that even a malicious attempt to edit transaction data in the audit
store would leave a footprint?
. When data is retrieved from the audit store, are the digital seals and JSNs checked
every time?
Although once recorded a transaction cannot be edited or deleted, transactions (including
negative transactions) can be added to a branch's accounts in the following ways only:
Are the three ways below, the only ways to affect a branch's accounts?
1 In branch
POL00212054
POL00212054
Strictly confidential, commercially sensitive and legally privileged draft
Branch staff record additional transactions during their normal daily use of Horizon. So
long as they are logging on with their own unique User ID and not sharing User IDs
and passwords within a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post Office or Fujitsu to log on
to a branch terminal of Horizon remotely in order to conduct transactions that would
affect the branch's accounts. It is possible to log on remotely to a branch in order to
provide support and conduct maintenance but this does not allow access to any
functionality that could be used to generate transactions or change branch data.
Questions for FJ:
Is the above statement correct?
What assurances are in place that this support access cannot be misused in order to
conduct transactions in branch?
There is the capability for Post Office employees to log on to a branch terminal locally
(ie. by being physically in a branch) using a new User ID and password and then
conduct transactions. This would only be done in special circumstances (such as
when defunding a branch following a branch’closure). Any transactions conducted
would be recorded against that new User ID and not against the User ID of any branch
staff.
Questions for POL / FJ:
What controls are in place to make sure that the above local access is not misused?
2 TAs and TCs
Post Office can send transactionacknowledgements (TA) or transaction corrections
(TC) to branches. TAs andTCs are usedsto record transactions that have been
processed in branch.through other systems (eg. the sale of Lottery products on the
Camelot terminal) or to\correct errors made by branches.
Both TAs and TCs need to be accepted by a user logged into the branch Horizon
terminal before they are recorded in the branch accounts. They are therefore fully
visible to each branch.
3 Balancing Transactions
Fujitsu (but not Post Office) can manually inject a new transaction into a branch's
accounts using the Balancing Transaction Process. This process is used in the event
of an accounting error that cannot be corrected by use of a TA or TC and itis in
accordance with good industry practice to have functionality of this nature in a system
like Horizon.
FJ — What is the effect of a Balancing Transaction?
o What types of transaction can it add?
o Does it add a transaction or an entirely new basket?
o Can it add a transaction to an existing basket?
POL00212054
POL00212054
Strictly confidential, commercially sensitive and legally privileged draft
°
The use of this process is strictly controlled by Post Office. For a transaction to be
manually injected:
These access controls meet industry good practice standards and are audited under
1$027001 and by LINK (the industry body for ATMs) gor Peligare payment
compliance).
Injected Balancing Transactions are visible in the branch's accoun
injected transaction will be visible toa subpostmaster. The transaction is also
log that automatically: fecords any use of Balancing Transactions. This log shows that
a Balancing Transaction has only be used once in the last 7 years (being the retention
period for the log). A Balancing Transaction was injected on 3 March 2010 and only
affected one branch (FAD code: 226542 - which is not a branch under review in the
Scheme).
Post Office Limited