POL00249611
POL00249611
Postmaster Group Litigation
Confidential and legally privileged
Cond Dickingow
DRAFT DEFENCE
HORIZON RELATED SECTIONS
Fujitsu
35. As to paragraph 20, Post Office has provided to the Claimants a copy of its contract with
Fujitsu dated 31 March 2016 (“the 2016 Fujitsu Contract”). The Claimants have not
identified any reasons for thinking that any other agreements between Post Office and
Fujitsu are required for them properly to plead their generic claims. Nor have the Claimants
identified any respects in which the redactions to the 2016 Fujitsu Contract have prejudiced
their ability to plead their case on the relationship between Post Office and Fujitsu. The
redactions were made in order to preserve commercially sensitive information and/or
because the redacted content was irrelevant to the issues in this case. Save as aforesaid,
paragraph 20 is admitted.
36. As to paragraph 21: (ROUBEIREVISITED ONCE WE HAVE RECEIVED THB)
(1) Paragraph 21.1 is admitted. (SHOUD WE MARETT CLEARTHAT UNTIO THE)
(2) Paragraph 21.2 is admitted.
(3) As to paragraph 21.3, Fujitsu’s role includes identifying and remedying coding errors
and bugs in Horizon as pleaded in paragraph [KX] above. However, it is not its role
to change the transaction or accounting data on Horizon or to identify and remedy
coding errors in bugs in a manner that adversely affects such data. (TO DISCUSS]
4A_36289756_1 1
POL00249611
POL00249611
(4) As to paragraph 21.4, it is admitted that until 17 June 2014 Fujitsu provided a
telephone advice service to Post Office in relation to technical problems with the
Horizon system or equipment. This service was mainly used by Post Office staff (such
as staff working on the Helpline referred to in paragraph [KX] below), but sometimes
Fujitsu staff would have direct contact with third parties such as Subpostmasters in
order to obtain a better understanding of the problem on which it was asked to advise
(CORRECT SUMMARY?). However, from 17 June 2014, this telephone advice service
was provided by [INSERT)FUED NAME OFATOS),
:
s
=
=
q
Bugs, is Or
37. As to paragraph 22:
(1) If and to the extent that the Claimants wish to assert that any of the shortfalls for
which they were held responsible were Horizon-generated shortfalls, it is for them to
make that distinct allegation and seek to prove it. Post Office notes that they do not
make the allegation in the GPoC. It further notes that, in paragraph 20 of their
solicitors’ letter to Post Office’s solicitors dated 27 October 2016, the Claimants make
it clear that they do not allege that there is a systematic flaw in Horizon or indeed any
flaw which has caused any Claimant to be wrongly held responsible for any shortfall.
4A_36289756_1 2
POL00249611
POL00249611
(2) It is denied that Post Office has unreasonably or otherwise failed to provide “obviously
relevant disclosure” in relation bugs, errors or defects in Horizon. There has been no
order or application for disclosure and, in the premis
set out above, there appears to
be no basis for providing such disclosure.
38. Paragraph 23 is embarrassing for its lack of particularity, in that (amongst other things) it
does not identify the errors, bugs or defects the Claimants rely on ot how “large” their
number was or the period in which they are said to have occurred and nor does it identify
the transaction data that Fujitsu is alleged to have rebuilt, how “frequent” was the need to
rebuild it or the extent of the “risk of error” which is said to have been introduced. In the
premises, Post Office cannot plead to the first three sentences of this paragraph. However:
(a) “ systems experience software coding errors or bugs which require fixes to be
developed and implemented. Horizon is no exception. For a system of Horizon’s
scale, Post Office would characterise the number of errors or bugs in Horizon
requiring fixes as relatively low [COR . Inany event, as is noted in paragraph
[SX] below, there are robust measures in place for their detection, correction and
remediation.
(2) AILIT systems involving the transmission of data over the internet experience data or
data packet errors during transmission and they routinely have protective measures in
place to prevent such errors creating any difference between the data transmitted and
the data received and retained by the recipient. Horizon has robust controls making it
extremely unlikely that transaction data input in a branch would be corrupted when
being transferred to, and stored in, Post Office's data centre in a manner that would
not be detected and remedied.
(3) Like all IT systems, Horizon has backups to guard against any loss of data due to local
hardware failure. Where hardware fails, the data on that hardware is recovered from
the backup. Post Office does not recognise the term “rebuild” and it does not accept
that there is a “frequent” need to recover data from backups.
(4) It is admitted that Fujitsu maintain a “Known Error Log”. This is not used by Post
Office and nor is it in Post Office’s control. To the best of Post Office’s information
4A_36289756_1 3
POL00249611
POL00249611
and belief, the Known Error Log is a knowledge base document used by Fujitsu which
explains how to deal with, or work around, minor issues that can sometimes arise in
Horizon for which (often because of their triviality) system-wide fixes have not been
developed and implemented. It is not a record of software coding errors or bugs for
which system-wide fixes have been developed and implemented. ‘To the best of Post
Office’s knowledge and belief, there is no issues in the Known Error Log that could
affect the accuracy of a branch's accounts or the secure transmission and storage of
transaction data. ((fFHS)PARA)SHOULD BEICHECKED CAREFULLY BY)
39. In paragraph 24, the Claimants combine many allegations together. Post Office separates out
40. As to paragraph 24.1, it is a truism that errors or bugs in an IT system and data or data
packet errors have the potential to create errors in the data held in that system. Horizon is
no exception. However, Horizon has at all material times included technical features and
control measures to reduce to an extremely low level the risk an error in the transmission,
replication and storage of the transaction record data. These have varied from time to time
and they currently include the following:
(1) Horizon creates, transmits and stores transaction data in the form of “baskets”. A
basket is a complete transactional session between a customer and Post Office and
may include one, several or many individual transactions taking place within the same
session (for example (1) a cash deposit, (2) a purchase of stamps and (3) the payment
of a utility bill). Horizon will not accept a basket of transactions that does not net to
zero (i.e. the value of any sales is set off by the value of any payment made or
received). This reduces greatly the risk of any error in the data within any given basket.
(2) Ifa basket of transactions fails properly to complete its transmission to the central
database (because, for example, of a power loss), the system rejects any partial
transmission and request the full basket from the branch terminal. This reduces greatly
the possibility of baskets of transactions failing to be recorded.
4A_36289756_1 4
©)
(4)
©)
41. Further as to paragraph 24.
POL00249611
POL00249611
At the point of a basket being accepted by Horizon, it is assigned a unique sequential
number (a “JSN”) that allows it to be identified relative to the other baskets
transmitted by that branch. ‘This reduces greatly the tisk of recording duplicate baskets
or there being a missing basket.
Each basket is also given a digital signature, i.e. a unique code calculated by using
industry standard cryptography. If the data in the basket were to change after the
digital signature was generated, this would be apparent upon checking the digital
signature.
Initial data integrity checks are undertaken when baskets are received at the Post Office
data centre from a branch. Baskets are then copied from the central database to the
Audit Store where a digital seal is then applied (the “Audit Store Seal”). If the baskets
and/or the data within the baskets were altered after the application of the Audit Store
Seal, this would be apparent when the baskets were extracted from the Audit Store.
Horizon and the above controls are themselves subject to various audits and checks
including audits carried out by third parties.
in addition to the technical controls referred to above, there
are several operational procedures and practices conducted by Post Office and
Subpostmasters that serve to increase the reliability of the data stored in the central database
as an accurate record of the transactions effected on branch terminals. ‘These currently
include the following:
(1)
2)
4A_36289756_1
For many transaction types, Post Office compares its own transaction record against
the corresponding records held by Post Office clients. If an error in Horizon were to
result in the corruption of transaction data, this should be revealed by the comparison.
‘There are detailed procedures in place to address the risk of data loss resulting from
interrupted sessions, power outages or telecommunications failures in branches. These
are set out and
Horizon guides the system user through the recovery process (which include
completing any transactions that are cut short). These procedures should prevent any
data errors arising from interrupted sessions, power outages and telecommunications
failures.
©)
4)
42. As to paragraph 24.2, Post Office admits that, like all other IT
POL00249611
POL00249611
The display of the transactions being effected on-screen at the branch terminal allows
the user of the system to identify any inconsistency between the information shown
on the screen and the transaction that the user has keyed into the
stem. If, for
example, a hypothetical bug in the terminal were to cause a key-strike on number 5 to
stem users
be recorded as an input of number 6, this would be detected rapidly t
(given the large number of system users and the huge number of transactions effected
on Horizon).
‘The accounting and record-keeping obligations placed on Subpostmasters reduce the
risk of any errors going undetected. For example, there is an obligation for each
branch to produce a cash declaration every day, which increases the likelihood of
promptly detecting any overstatement or understatement of the cash position on
Horizon. If a Subpostmaster detects that an error has been made at an early stage, its
cause is more likely to be identified.
Fujitsu operates industry standard processes for developing and updating Horizon and
for investigating and resolving any identified potential system errors.
tems, Horizon is not a
perfect system which has never had any errors or bugs. However, as indicated in paragraph
[SX] above, it has robust systems in place to identify them, fix them and correct their
consequences (if any).
43. As to paragraph 24.3:
(1)
2)
4A_36289756_1
There have been occasions on which bugs or errors in Horizon have resulted in
discrepancies and thus shortfalls in some branch accounts, as outlined in Schedule 6 of
the Letter of Response. Without prejudice to the burden of proof, none of the
branches affected are branches for which the Claimants were responsible
On each occasion, both the bugs or errors and the resulting discrepancies in the
relevant branch accounts were corrected. Post Office took steps to ensure that it had
identified all branches affected by the bugs or errors and that no Subpostmaster was
ultimately held responsible for any resultant shortfalls. (Where the bugs or errors
resulted in net gains, however, Post Office typically allows Subpostmasters to retain
them.)
POL00249611
POL00249611
44. As to paragraph 24.4:
(1) Paragraph above is repeated.
(2) Paragraphs 4.1 to 4.5 of Schedule 6 to the Letter of Response relate to the so-called
Suspense Account Bug. Without prejudice to the burden of proof, none of the
branches affected by the Suspense Account Bug are branches for which the Claimants
were responsible.
(3) None of the Subpostmasters whose branches were affected by the Suspense Account
Bug was ultimately held responsible for the shortfalls that it generated. The Claimants
are therefore wrong to understand Post Office as having admitted that it “recovered
such alleged shortfalls from Subpostmasters”. Where Subpostmasters in the affected
branches had made good or settled centrally shortfalls that were later corrected, those
Subpostmasters received a payment or credit to the value of the shortfall.
Remote editing of branch transaction data
45. Paragraph 25 appears to be concerned with the deletion or editing of transaction data input
by or on behalf of Subpostmasters without the consent of the relevant Subpostmaster.
Accordingly, Post Office assumes that it is not concerned with transactions such as
‘Transaction Corrections which are sent to branches but must be accepted by or on behalf of
the Subpostmaster before forming part of his or her branch account. As to the
circumstances in which such transaction data can be altered without the consent of the
Subpostmaster: [TO BE
(1) Neither Post Office nor Fujitsu has the ability to log on remotely to a Horizon
terminal in a branch so as to conduct transactions.
(2) A Post Office employee with “global user” authorisation can, when physically present
at a branch, use a terminal within the branch to add a transaction into the branch’s
accounts. The purpose of “Global User” authorization is to allow access to the
systems for during training and/or audits. Any transactions effected by a Global User
are recorded against a Global User ID and are readily identifiable as such.
4A_36289756_1 7
POL00249611
POL00249611
(3) Fujitsu (and not Post Office) has the ability to inject transactions into branch accounts
(since the introduction of Horizon Online in 2010, transactions of this sort have been
called “Balancing Transactions”). These transactions do not involve any removal or
amendment of the transactions entered at the branch. Their intended purpose is to
allow Fujitsu to correct errors or bugs in Horizon by introducing a new transaction to
cancel out the effect of an error or bug on a branch’s transaction data. They may only
be conducted by a small number of specialists at Fujitsu and only then used in
accordance with specific authorisation requirements. ‘They are rarely used. ‘To the best
of Post Office’s information and belief, only one Balancing Transaction has ever been.
effected, and this was not in a branch operated by a Claimant. A Balancing
‘Transaction is (READIN? identifiable as such. [ISTRECORDEDIN AWAY)
(4) There are a small number of Fujitsu specialists who have certain privileged user access
rights which they could in theory use to amend or delete the transaction data for a
branch. The intended purpose of privileged user rights is system support, not the
alteration of branch transaction data. To have abused those rights so as to alter branch
transaction data and conceal that this has happened would be an extraordinarily
difficult thing to do, involving complex steps (including the writing of sophisticated
computer programmes and circumvention of sophisticated control measures) which
would require months of planning and an exceptional level of technical expertise
THOSHPEROPHE?). Post Office has never consented to the use of privileged user
rights to alter branch data and, to the best of its information and belief, these rights
have never been used for this purpose.
(5) Post Office cannot conceive of a reason why any Fujitsu personnel would have sought
to add, inject, amend or delete any transactions in any branch accounts so as to create
a false shortfall. Post Office would never consent to any of them making changes to
branch accounts to generate false shortfalls, it would for all practical purposes be
4A_36289756_1
©
46.
47.
48.
POL00249611
POL00249611
impossible for any of them to generate significant shortfalls without detection and,
even if they were able to do so, they would be unable to take the benefit of such
shortfalls for themselves.
As to paragraph 26, the statements referred to therein are admitted. These statements were
made in I WHAT YEARS?]. The Post Office representatives who were responsible for the
making of these statements believed that they were true.
As to paragraph 27, it is admitted that there was a highly theoretical possibility that certain
Fujitsu personnel could abuse their privileged user rights so as to delete or edit branch
transaction data as described in paragraph [RR] above.
Paragraph 28 is noted. The alleged inferences are inappropriate and each of them is denied.
Post Office made the above statements in the context of complaints made during a
mediation scheme it set up to investigate and address concerns about Horizon. Some of
those complaints raised questions, in several different formulations and contexts, about
whether transaction data had been edited by Post Office or Fujitsu. These investigations
revealed no evidence of transaction data having been so edited. For example, there was an
unfounded claim by a particular Subpostmaster that he had in August 2008 observed a
Fujitsu worker passing transactions directly into the Horizon system and altering the
recorded foreign currency holdings of branches. ‘This was alleged to have taken place in a
basement of Fujitsu’s premises in Bracknell. Post Office ascertained that no remote access
or altering of branch data had been possible from that location, which only housed a test
environment for Horizon.
4A_36289756_1