POL00214062
POL00214062
Strictly confidential, commercially sensitive and legally privileged draft
Initial Complaint Review and Mediation Scheme
Horizon Data
Issue
Second Sight has asked:
“Can Post Office or Fujitsu edit transaction data without the knowledge of a
Subpostmaster?”
WORDING OF QUESTION TO BE CONFIRMED WITH SS BUT THIS WOULD BE A
PREFERRED FORMULATION
This question is often phrased by Applicants as:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second
Sight and Applicants. It refers generically to "Horizon"-but more particularly is about the
transaction data recorded by Horizon. Also, the word "access" means the ability to read
transaction data without editing it - Post Office / Fujitsu has always been able to access
transaction data however it is the alleged capacity of Post Office / Fujitsu to edit transaction
data that appears to be of concern. Finally,it,has always been known that Post Office can
post additional, correcting transactions to a branch's accounts inways that are visible to
Subpostmasters (ie. Transaction Corrections and Transaction Acknowledgements) - it is the
potential for any hidden method of editing data that is of concern.
In light of these issues, Second Sight and Post Office have therefore agreed the above
reformulation of the question:to be addressed.
In summary, Post Office confirms that neither itor Fujitsu can edit transaction data without
the knowledge of a Subpostmaster.
This document
This document provides a.generic response to the general question posed above. It is noted
that, as yet, Second Sight has not presented Post Office with a specific evidenced example of
data irregularities or anomalies that may suggest data integrity issues. Nevertheless, Post
Office is prepared to investigate incidents alleged by claimants as part of the mediation
process providing that is clearly identified (by at least the date, and preferably also the
approximate time ) in an Applicant's Case Questionnaire Response.
This document has been prepared with the assistance of Fujitsu and the Post Office IT&C.
Team. Both have approved this document as being accurate.
Response
In simple terms:
. Transactions are recorded in branches by Subpostmasters and their staff.
POL00214062
POL00214062
Strictly confidential, commercially sensitive and legally privileged draft
The transaction data is transmitted from a branch Horizon terminal to the Post Office
data centre.
At the data centre, the transaction data is stored on a secured server called the Audit
Store.
The transaction data in the Audit Store is what is considered to be the source for
"branch's accounts".
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit,
manipulate or remove a transaction once it has been recorded in a branch's accounts.
The following safeguards are in place to prevent such occurrences:
Transmission of baskets of transaction data between Horizon:terminals in branches
and the Post Office data centre is encrypted.
Transmission of baskets of transaction data between Horizon terminals in branches
and the Post Office data centre cryptographically protected through the use of digital
signatures.
Baskets must net to nil before transmission. This means that the total value of the
basket is nil and therefore the correct amount of payments, goods and services has
been recorded in the basket. Baskets that do not net to nil will be rejected by the
Horizon terminal before transmission tothe Post Office data centre.
Baskets of transactions are either recorded in full/or. discarded in full — no partial
baskets can be recorded to the Audit Store.
All baskets are given sequential numbers (known as Journal Sequence Numbers or
JSNs) when sent from a Horizon terminal. This allows Horizon to run a check at the
Data Centre for missing baskets (which.triggers a recovery process) or additional
baskets that would cause duplicate numbers (which would trigger an exception error
report to Post Office /, Fujitsu).
All transaction data in the Audit Store is digitally sealed — these seals would show
evidence of tampering if anyone, either inadvertently, intentionally or maliciously, tried
to change the data within a sealed record.
Automated daily checks are undertaken on JSNs (looking for missing / duplicate
baskets) and on the digital seals (looking for evidence of tampering).
Questions for FJ:
Is it correct to say that even a malicious attempt to edit transaction data in the audit
store would leave a footprint?
When data is retrieved from the audit store, are the digital seals and JSNs checked
every time?
Although once recorded a transaction cannot be edited or deleted, transactions (including
negative transactions) can be added to a branch's accounts in the following ways only:
Are the three ways below, the only ways to affect a branch's accounts?
POL00214062
POL00214062
Strictly confidential, commercially sensitive and legally privileged draft
1 In branch
Branch staff record additional transactions during their normal daily use of Horizon. So
long as they are logging on with their own unique User ID and not sharing User IDs
and passwords within a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post Office or Fujitsu to log on
to a branch terminal of Horizon remotely in order to edit transactions recorded by
Branch staff branch's . It is possible for Fujitsu to log on remotely to a branch in order
to provide support and conduct maintenance but this does not allow access to any
functionality that could be used edit branch data.
There is the capability for Post Office employees to log on to a branch terminal locally
(i.e. by being physically in.a branch) using a new User ID and password and then
conduct transactions. This would only be’done in special circumstances (such as
when defunding a branch following a branch closure). Any transactions conducted
would be recorded against that new User ID and not against the User ID of any branch
2 TAs and TCs
Post Office can send transaction acknowledgements (TA) or transaction corrections
(TC) to branches. TAs are used to record transactions that have been processed in
branch through other systems (eg. the sale of Lottery products on the Camelot
terminal) and TCs to correct errors made by branches.
Both TAs and TCs need to be accepted by a user logged into the branch Horizon
terminal before they are recorded in the branch accounts. They are therefore fully
visible to each branch.
3 Balancing Transactions
POL00214062
POL00214062
Strictly confidential, commercially sensitive and legally privileged draft
Fujitsu (but not Post Office) can manually inject a new transaction into a branch's
accounts using the Balancing Transaction Process. This process is used in the event
of an accounting error that cannot be corrected by use of a TA or TC and itis in
accordance with good industry practice to have functionality of this nature in a system
like Horizon.
These access controls’ meet industry good practice standards and are audited under
1S027001 and by LINK (the industry body for ATMs) and PCI (card payment
compliance).
Injected Balancing Transactions are visible in the branch's accounts and so the
injected transaction will be visible to a Subpostmaster. The transaction is also
attributed to a unique transaction ID used only for these type of transactions. It is not
recorded against the User ID of any member of branch staff.
POL00214062
POL00214062
Strictly confidential, commercially sensitive and legally privileged draft
This process is materially the same for Horizon and Horizon Online.
This use of Balancing Transactions is incredibly rare. Within the Audit Store is an audit
log that automatically records any use of Balancing Transactions. This log shows that
a Balancing Transaction has only be used once in the last 7 years (being the retention
period for the log). A Balancing Transaction was injected on 3 March 2010 and only
affected one branch (FAD code: 226542 - which is not a branch under review in the
Scheme).
* Post Office Limited
DATE