POL00212720
POL00212720
Strictly confidential, commercially sensitive and legally privileged draft
Initial Complaint Review and Mediation Scheme
Horizon Data
Issue
Second Sight has asked:
“Can Post Office or Fujitsu edit transaction data without the knowledge of a
Subpostmaster?”
I el
This question is often phrased by Applicants as:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second
Sight and Applicants. It refers generically to "Horizon" but more particularly is about the
transaction data recorded by Horizon. Also, the word "access" means the ability to read
3 I transaction data without editing it - Post Office / Fujitsu has always been able to access
4 I transaction data however it is the alleged capacity of Post Office / Fujitsu to edit transaction
data that appears to be of concern. Finally,it,has always been known that Post Office can
remotely affect a branch's accounts in ways that are visible to Subpostmasters (ie.
5 I Transaction Corrections and Transaction Acknowledgements) — it is the potential for any
hidden method of editing data that is of concern.
In light of these issues, Second:Sight and Post Office have therefore agreed the above
reformulation of the question‘to be addressed.
In summary, Post Office confirms that neither itnor Fujitsu can edit transaction data without
the knowledge of a Subpostmaster.
This document
This document provides a.generic response to the general question posed above. It is noted
6 I that, as yet, Second Sight has not presented Post Office with a specific evidenced example of
7 I a “where Post Office or Fujitsu have edited transaction data without the knowledge of a
8,9 I Subpostmasten tely-g ted tion". Forth tated-below it Id-be
prising if such-at ti ised-as-part-of the Sch . Nevertheless, Post Office
10, 11 I is prepared to investigate any suspected transaction incidence of this nature that is clearly
12 I identified (by at least the date, and preferably also the approximate timeofthe-transaction ) in
an Applicant's Case Questionnaire Response.
This document has been prepared with the assistance of Fujitsu and the Post Office IT&C
Team. Both have approved this document as being accurate.
Response
In simple terms:
13
14, 15
16, 17, 18
POL00212720
POL00212720
Strictly confidential, commercially sensitive and legally privileged draft
. Transactions are recorded in branches by Subpostmasters and their staff.
. The transaction data is transmitted from a branch Horizon terminal to the Post Office
data centre.
. At the data centre, the transaction data is stored on a secured server called the Audit
Store.
. The transaction data in the Audit Store is what is considered to be a "branch's
accounts".
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit,_
manipulate or remove (ie-delete-or-alter) a transaction once it has been recorded in a
branch's accounts.
The following sSafeguards are also in place to prevent such occurrencesensure-that no-
. Transmission of baskets of transaction data between Horizon terminals in branches
and the Post Office data centre is encrypted.
. Baskets must net to nil before transmission. This means that the total value of the
basket is nil and therefore the correct amount of payments, goods and services has
been recorded in the basket. Baskets that do not net to nil will be rejected by the
Horizon terminal before transmission toythe Post Office data centre.
. Baskets of transactions are either recorded in fullor. discarded in full — no partial
baskets can be recorded to the Audit Store.
. All baskets are given sequential numbers (known as Journal Sequence Numbers or
JSNs) when sent from a Horizon terminal. This allows Horizon to run a check at the
Data Centre for missing baskets (which triggers a recovery process) or additional
baskets that would cause duplicate numbers (which would trigger an exception error
report to Post Office’, Fujitsu).
. All transaction data in the Audit Store is digitally sealed — these seals would show
evidence of tampering if anyone, either inadvertently, intentionally or maliciously, tried
to change the data within a sealed record.
. Automated daily checks are undertaken on JSNs (looking for missing / duplicate
baskets) and on the digital seals (looking for evidence of tampering).
Questions for FJ:
Although once recorded a transaction cannot be edited or deleted, transactions (including
negative transactions) can be added to a branch's accounts in the following ways only:
19, 20
21,22
25:
24
POL00212720
POL00212720
Strictly confidential, commercially sensitive and legally privileged draft
1 In branch
Branch staff record additional transactions during their normal daily use of Horizon. So
long as they are logging on with their own unique User ID and not sharing User IDs
and passwords within a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post Office or Fujitsu to log on
to a branch terminal of Horizon remotely in order to edit conduct transactions recorded
by Branch staff-thatweould affectthe branch's accounts. It is possible for Fujitsu to log
on remotely to a branch in order to provide support and conduct maintenance but this
does not allow access to any functionality that could be used te-generatetransactions-
erchange edit branch data.
ee ee
There is the capability for Post Office employees to log on to a branch terminal locally
(i.e. by being physically in a branch) using a new User ID and password and then
conduct transactions. This would only be done in special circumstances (such as
when defunding a branch following a’branch closure). Any transactions conducted
would be recorded against that new User ID,and not against the User ID of any branch
staff.
2 TAs and TCs
Post Office can send transaction, acknowledgements (TA) or transaction corrections
(TC) to branches. TAs and-TGs-are used to record transactions that have been
processed in branch through other systems (eg. the sale of Lottery products on the
Camelot terminal) or and TCs to correct errors made by branches.
Both TAs and TCs)need to be accepted by a user logged into the branch Horizon
terminal before they are recorded in the branch accounts. They are therefore fully
visible to each branch.
3 Balancing Transactions
Fujitsu (but not Post Office) can manually inject a new transaction into a branch's
accounts using the Balancing Transaction Process. This process is used in the event
of an accounting error that cannot be corrected by use of a TA or TC and itis in
accordance with good industry practice to have functionality of this nature in a system
like Horizon.
°
© Does it add a transaction or an entirely new basket?
POL00212720
POL00212720
Strictly confidential, commercially sensitive and legally privileged draft
°
The use of this process is strictly controlled by Post Office. For a transaction to be
manually injected:
°
These access controls meet industry good practice.standards and are audited under
1SO27001 and by LINK (the industry body for ATMs) and PCI (card)payment
compliance).
Injected Balancing Transactions are visible in the branch's accounts and so the
injected transaction will be visible to a Ssubpostmaster. The transaction is also
attributed to a unique transaction ID/used only for these.type of transactions. It is not
recorded against the User ID of any membenof branch staff.
°
This process is materially the same for Horizon and Horizon Online.
This use of Balancing Transactions is incredibly rare. Within the Audit Store is an audit
log that automatically records any use of Balancing Transactions. This log shows that
a Balancing Transaction has only be used once in the last 7 years (being the retention
period for the log). A Balancing Transaction was injected on 3 March 2010 and only
affected one branch (FAD code: 226542 - which is not a branch under review in the
Scheme).
Post Office Limited
4
POL00212720
POL00212720
Strictly confidential, commercially sensitive and legally privileged draft
A.
«
Yer
Track Changes
4
© MN DH RW ND
MN NNMNNHNNNN B= Bae saa aan an a a
orn Oa FON SOC GF NOGARO NHR BT
Insert
Insert
Insert
Insert
Insert
Insert
Change
Delete
Delete
Delete
Insert
Delete
Insert
Delete
Insert
Change
Delete
Change
Change
Change
Delete
Insert
Change
Insert
Delete
Change
Change
Insert
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
Mark Underwood,
20/11/2014 09:55 AM
20/11/2014 09:55 AM
11/11/2014 11:36 AM
11/11/2014 11:37 AM
20/11/2014 12:10 PM
11/11/2014 11:37 AM
11/11/2014 11:37 AM
20/11/2014 09:58 AM
11/11/2014 11:39 AM
11/11/2014 11:40 AM
11/11/2014 11:40 AM
11/11/2014 11:40 AM
11/11/2014 11:43 AM
11/11/2014 11:43 AM
11/11/2014 11:43 AM
11/11/2014 11:44 AM
11/11/2014 11:44 AM
11/11/2014 11:50 AM
20/11/2014 10:05 AM
20/11/2014 10:05 AM
20/11/2014 10:05 AM
11/11/2014 12:03 PM
20/11/2014 10:06 AM
11/11/2014 12:07 PM
11/11/2014 12:08 PM
11/11/2014 12:08 PM
11/11/2014 12:41 PM
20/11/2014 10:08 AM
POL00212720
POL00212720