POL00249903
POL00249903
Claim No. HQ16X01238
IN THE HIGH COURT OF JUSTICE
QUEEN’S BENCH DIVISION
IN GROUP LITIGATION BETWEEN:
ALAN BATES & OTHERS
Claimants
ve
POST OFFICE LIMITED
Defendant
GENERIC DEFENCE
A3.___ Fujitsu
47. As to paragraph 20, Post Office has provided to the Claimants a copy of its contract with
48.
Fujitsu (“the Fujitsu Contract”). The Claimants have not identified any reasons for thinking
that any other agreements between Post Office and Fujitsu are required for them properly to
plead their generic claims. Nor have the Claimants identified any respects in which the
redactions to the Fujitsu Contract have prejudiced their ability to plead their case on the
relationship between Post Office and Fujitsu. The redactions were made in order to preserve
commercially sensitive information and/or because the redacted content was irrelevant to the
issues in this case. Save as aforesaid, paragraph 20 is admitted.
As to paragraph 21:
(1) Depending on the specific branch and time in question, the telecommunication line
from the branch to the internet may have been provided by Fujitsu or by the
Subpostmaster. Save for this point of clarification, paragraph 21.1 is admitted.
(2) Fujitsu was only responsible for the Post Office side of the interface between central data
centres and clients. Further, some client equipment in branches transmitted data
directly to those clients without that data going through Horizon or other systems
for which Fujitsu was responsible. Save as aforesaid, paragraph 21.2 is admitted.
(3) Paragraph 21.3 bundles together several different concepts and uses language that is
open to different meanings. However:
(a) Fujitsu’s role included identifying and remedying coding errors and bugs in
Horizon as pleaded in paragraph [SX] above.
49,
50.
@)
POL00249903
POL00249903
(b) To the extent that the phrase "correct apparent discrepancies in the data" is
meant to mean that Fujitsu implemented fixes that edited or deleted specific
items of transaction data, that is denied.
(c) It is denied that Fujitsu has implemented fixes that have affected the reliability
of accounting balances
statements or reports.
(d) Save as aforesaid, if Post Office understands it correctly, the general thrust of
paragraph 21.3 is denied.
As to paragraph 21.4, it is admitted that until 2014 Fujitsu provided a telephone
advice service to Post Office in relation to technical problems with the Horizon
system or equipment. This service was used by Post Office staff (such as staff
working on the Helpline referred to in paragraph [SX] below), but sometimes
Fujitsu staff would have direct contact with third parties such as Subpostmasters in
order to obtain a better understanding of the problem on which it was asked to
advise. From 17 June 2014, this service was provided by Atos.
Bugs, errors or defects in Horizon
As to paragraph 22:
(a)
2)
If and to the extent that the Claimants wish to assert that any of the shortfalls for
which they were held responsible were Horizon-generated shortfalls, it is for them
to make that distinct allegation and seek to prove it. Post Office notes that they do
not make the allegation in the GPoC. It further notes that, in paragraph 20 of their
solicitors’ letter to Post Office’s solicitors dated 27 October 2016, the Claimants
make it clear that they do not allege that there is a systematic flaw in Horizon or
indeed any flaw which has caused any Claimant to be wrongly held responsible for
any shortfall.
It is denied that Post Office has unreasonably or otherwise failed to provide
“obviously relevant disclosure” in relation to bugs, errors or defects in Horizon.
‘There has been no order or application for disclosure and, in the premises set out
above, there appears to be no basis for providing such disclosure.
Paragraph 23 is embarrassing for its lack of particularity, in that (amongst other things) it
does not identify the errors, bugs or defects on which the Claimants rely or how “large”
POL00249903
POL00249903
their number was or the period in which they are said to have occurred and nor does it
identify the transaction data that Fujitsu is alleged to have rebuilt, how “frequent” was the
need to rebuild it or the extent of the “risk of error” which is said to have been
introduced. In the premises, Post Office cannot plead to the first three sentences of this
paragraph. However:
(1) AILIT systems experience software coding errors or bugs which require fixes to be
developed and implemented. Horizon is no exception. For a system of Horizon’s
scale, Post Office would characterise the number of errors or bugs in Horizon
s is noted in paragraph [53 and 54]
below, there are robust measures in place for their detection, correction and
requiting fixes as relatively low. In any event,
remediation.
(2) AlITs
tems involving the trans
ission of data over the internet experience data
or data packet errors during transmission and such systems routinely have protective
measures in place to prevent such errors creating any difference between the data
transmitted and the data received and retained by the recipient. Horizon has robust
controls making it extremely unlikely that transaction data input in a branch would
be corrupted when being transferred to, and stored in, Post Office's data centre in a
manner that would not be detected and remedied.
(3) Like all IT systems, Horizon has backups to guard against any loss of data due to
local hardware failure. Where hardware fails, the data on that hardware is recovered
from the backup. Post Office takes the term "rebuild" to refer to the situation
before the introduction of Horizon Online where a new terminal was introduced to
a branch and the data stored on the other branch terminals (or on a disc where it
was a single counter branch) was restored to the new terminal. In this context, Post
Office does not accept that there was a "frequent" need to recover data from back-
ups.
(4) Iris admitted that Fujitsu maintain a “Known Ertor Log”. This is not used by Post
Office and not is it in Post Office’s control. To the best of Post Office’s
information and belief, the Known Error Log is a knowledge base document used
by Fujitsu which explains how to deal with, or work around, minor issues that can
sometimes arise in Horizon for which (often because of their triviality) system-wide
fixes have not been developed and implemented. It is not a record of software
on
ne)
POL00249903
POL00249903
coding errors or bugs for which system-wide fixes have been developed and
implemented. To the best of Post Office’s knowledge and belief, there is no issue in
the Known Error Log that could affect the accuracy of a branch's accounts or the
secure transmission and storage of transaction data. [
In paragraph 24, the Claimants again bundle many ambiguous allegations together. Post
Office separates out and addresses those allegations in paragraphs [52/t0.57] below.
As paragraph 24.1 does not explain what is meant by “error repellency”, what sorts of
errors are referred to, what is meant by “data entry level”, what would constitute
“sufficient” prevention, detection, identification or reporting of each sort of errors, or in
what respects the error repellency of Horizon was insuffi
ent, Post Office cannot plead to
this paragraph. However, the general thrust of paragraph 24.1 is denied and the robust
pleaded in paragraphs [53/480 54] below are referred to.
controls, procedures and practi
As to paragraph 24.14, it is a truism that errors or bugs in an IT system and data or data
packet errors have the potential to create errors in the data held in that system. However,
Horizon has at all material times included technical control measures to reduce to an
extremely low level the risk of an error in the entry, transmission, replication and storage
of the transaction record data. ‘These have varied from time to time and they currently
include the following:
(1) Horizon creates, transmits and stores transaction data in the form of “baskets”. A
ion between a customer and Post Office and
basket is a complete transactional s
may include one, several or many individual transactions taking place within the
same $
ssion. Horizon will not accept a basket of transactions that does not net to
zero (ie. the value of any sales is set off by the value of any payment made or
received). This reduces greatly the risk of any error in the data entered within any
given basket.
(2) Ifa basket of transactions fails properly to complete its transmission to the central
database (because, for
mple, of a power loss), the
ny partial
transmission and requests the full basket from the branch terminal. This reduces
greatly the possibility of baskets of transactions failing to be recorded.
(3) At the point of a basket being accepted by Hotizon, it is assigned a unique sequential
number (a “JSN”) that allows it to be identified relative to the other baskets
4)
6)
POL00249903
POL00249903
transmitted by that branch. This reduces greatly the risk of recording duplicate
baskets or there being a missing ba:
Each basket is also given a digital signature, ie. a unique code calculated by using
industry standard cryptography. If the data in the basket were to change after the
digital signature was generated, this would be apparent upon checking the digital
signature.
Initial data integrity checks are undertaken when baskets are received at the Post
Office data centre from a branch. Baskets are then copied from the central database
to the Audit Store where a digital seal is then applied (the “Audit Store Seal”). If
the baskets and/or the data within the baskets were altered after the application of
the Audit Store Seal, this would be apparent when the baskets were extracted from
the Audit Store.
Horizon and the above controls are themselves subject to various audits and checks
including audits carried out by third parties.
Further as to paragraph 24.1, in addition to the technical controls referred to above,
there are several operational procedures and practices conducted by Post Office and
Subpostmasters that serve to increase the reliability of the data and stored in the central
data centre as an accurate record of the transactions entered on branch terminals. These
currently include the following:
()
2)
For many transaction types, Post Office compares its own transaction record against
the corresponding records held by Post Office clients. If an error in Horizon were
to result in the corruption of transaction data, this should be revealed by the
comparison.
There are detailed procedures in place to address the risk of data lo:
resulting from
interrupted sessions, power outages or telecommunications failures in branches.
These are set out in the "Recovery — Horizon Online Quick Reference Guide" and
Horizon guides the system user through the recovery process (which include
completing any transactions that are cut short). These procedures should prevent
any data errors arising from interrupted sessions, power outages and
telecommunications failures.
POL00249903
POL00249903
(3) The display of the transactions being effected on-screen at the branch terminal
allows the user of the system to identify any incon: en the information
ency betwe
shown on the screen and the transaction that the user has keyed into the system. If,
-strike on number:
for example, a hypothetical bug in the terminal were to cause a ke:
5 to be recorded as an input of number 6, this would be detected rapidly by system
users, given the large number of system users and the huge number of transactions
effected on Horizon.
(4) The accounting and record-keeping obligations placed on Subpostmasters reduce
the risk of any errors going undetected. For example, there is an obligation for each
branch to count and declare to Post Office the cash it holds on a daily basis, which
increases the likelihood of promptly detecting any overstatement or understatement
of the cash position on Horizon. If a Subpostmaster detects that an error has been
made at an early stage, its cause is more likely to be identified.
(5) Fujitsu operates industry standard processes for developing and updating Horizon
and for identifying, investigating and resolving any identified potential system errors.
As to paragraph 24.2, Post Office admits that, like all other IT systems, Horizon is not a
perfect system which has never had any errors ot bugs. How: indicated in
paragraphs [53/and/54] above, it has robust systems in place to identify them, fix them and
correct their consequences (if any).
As to paragraphs 24.3 and 24.4:
(1) ‘There have been occasions on which bugs of ettors in Horizon have resulted in
discrepancies and thus shortfalls or net gains in some branch accounts, as outlined in
Schedule 6 of the Letter of Response.
(2) On each occasion, both the bugs or errors and the resulting discrepancies in the
relevant branch accounts were corrected. Post Office took steps to ensure that it
had identified all branches affected by the bugs or errors and that no Subpostmaster
was ultimately held responsible for any resultant shortfalls. (Where the bugs or
errors resulted in net gains, however, Post Office typically allowed Subpostmasters
to retain them.)
3)
4)
POL00249903
POL00249903
Paragraphs 4.1 to 4.5 of Schedule 6 to the Letter of Response relate to the so-called
Suspense Account Bug. Without prejudice to the burden of proof, none of the
branches affected by the Suspense Account Bug are branches for which the
Claimants were responsible.
None of the Subpostmasters whose branches were affected by the Suspense
Account Bug was ultimately held responsible for the shortfalls that it generated.
‘The Claimants are therefore wrong to understand Post Office as having admitted
that it “recovered such alleged shortfalls from Subpostmasters”. Where
Subpostmasters in the affected branches had made good or settled centrally
shortfalls that were later corrected, those Subpostmasters received a payment or
credit in the amount of the shortfall.
Remote editing of branch transaction data
Paragraph 25 appears to be concerned with the editing or deletion of transaction data
input by or on behalf of Subpostmasters without the consent of the relevant
Subpostmaster. Accordingly, Post Office assumes that it is not concerned with
transactions such as Transaction Corrections which are sent to branches but must be
accepted by or on behalf of the Subpostmaster before forming part of his or her branch
account. As to the circumstances in which such transaction data can be edited or deleted
without the consent of the Subpostmaster:
()
2)
3)
Neither Post Office nor Fujitsu has the ability to log on remotely to a Horizon
terminal in a branch so as to conduct transactions.
A Post Office employee with “global user” authorisation can, when physically
present at a branch, use a terminal within the branch to add a transaction into the
branch’s accounts. The purpose of “Global User” authorization is to allow access to
the systems for during training and/or audits. Any transactions effected by a Global
User are recorded against a Global User ID and are readily identifiable as such.
Fujitsu (and not Post Office) has the ability to inject transactions into branch
ince the introduction of Horizon Online in 2010, transactions of this s
have been called “Balancing Transactions”). These transactions do not involve
any removal or amendment of the transactions entered at the branch. Their
intended purpose is to allow Fujitsu to correct errors or bugs in Horizon by
58.
POL00249903
POL00249903
introducing a new transaction to cancel out the effect of an error or bug on a
branch’s transaction data. They may only be conducted by a small number of
specialists at Fujitsu and only then used in accordance with specific authorisation
requirements. They are rarely used. To the best of Post Office’s information and
belief, only one Balancing Transaction has ever been effected, and this was not in a
branch operated by a Claimant. A Balancing Transaction is readily identifiable as
such.
‘There are a small number of Fujitsu specialists who have certain privileged user
acc
rights which they could in theory use to amend or delete the transaction data
for a branch. ‘The intended purpose of privileged user rights is system support, not
the alteration of branch transaction data. To have abused those rights so as to alter
branch transaction data and conceal that this has happened would be an
extraordinarily difficult thing to do, involving complex steps (including the writing of
sophisticated computer programmes and circumvention of sophisticated control
measures) which would require months of planning and an exceptional level of
technical expertise. Post Office has never consented to the use of privileged user
rights to alter branch data and, to the best of its information and belief, these rights
have never been used for this purpose.
Post Office cannot conceive of a reason why any Fujitsu personnel would have
sought to add, inject, amend or delete any transactions in any branch accounts so as
to create a false shortfall. It would for all practical purposes be impossible for any
of them to generate significant shortfalls without detection and, even if they were
able to do so, they would be unable to take the benefit of such shortfalls for
themselves.
As to paragraph 26, the statements referred to therein are admitted. These statements
were made in April 2015 and August 2015. The Post Office representatives who were
responsible for the making of these statements believed that they were true.
As to paragraph 27, it is admitted that, although Horizon was not designed to have this
functionality, there is a highly theoretical and consequently remote possibility that certain
Fujitsu personnel could abuse their privileged user rights in such a way as to edit or delete
branch transaction data as described in paragraph [57@)] above.
POL00249903
POL00249903
60. Paragraph 28 is noted. The alleged inferences are inappropriate and each of them is
denied. Post Office is not aware of any material suggesting that transaction data has been
edited or deleted, and nor are the Claimants.