POL00337340
POL00337340
Message
From: Prime, Amy f
Sent: 14/11/2016 6: 5
To: Anthony de Garr Robinson {Owain Draper,
ce: Lukas, Elisa {I
BCC: 364065_01369 Horizon IT System. Group Action E_Mails [{F26896945}.4A-LIVE@EM-S.NETWORK.LOCAL]
Subject: RE: Deloitte Report [BD-4A.FID26896945]
Attachments: _DOC_34314388(1)_Part 3 of 3 - Chronology of statements made in relation to Remote Access_ 14 November
2016.DOCX
Tony
Part 3 of 3 attached.
Amy
From: Prime, Amy
Sent: 14 November 2016 08:12
To: ‘Anthony de Garr Robinson’; ‘Owain Draper’
Cc: Gribben, Jonathan; Lukas, Elisa; Parsons, Andrew
Subject: RE: Deloitte Report [BD-4A.FID26896945]
Tony
Part 2 of 3 attached.
Amy
From: Prime, Amy
Sent: 14 November 2016 08:10
To: Anthony de Garr Robinson; Owain Draper
Cc: Gribben, Jonathan; Lukas, Elisa; Parsons, Andrew
Subject: RE: Deloitte Report [BD-4A.FID26896945]
Good morning Tony
Please find attached Part 1 of 3 of the chronology of statements made by POL on remote access. I will send parts 2 and
3 in separate emails to follow.
If you have any issues accessing the documents due to their size please let me know.
Kind regards
Amy
From: Parsons, Andrew
Sent: 13 November 2016 20:23
To: Anthony de Garr Robinson; Owain Draper
Cc: Prime, Amy; Gribben, Jonathan; Lukas, Elisa
Subject: RE: Deloitte Report
Tony
Sorry for the delayed reply. See my comments below in yellow.
POL-BSFF-0163551
POL00337340
POL00337340
The bottom line is that, even if we could resolve the issues below, FJ do have the ability to amend transaction data in a
way that could create a shortfall in a branch's accounts. This ability exists regardless of whether there is or is not an audit
trail of the changes. This means that Post Office have historically made untrue statements as it has categorically stated
that amending transaction data was not possible.
The first big question to my mind is: Do we publicly accept that PO has made false statements?
This does not mean that POL has deliberately concealed info / perpetrated a fraud. First, POL arguably made the
statements in good faith reliance on advice from FJ. Second, there is a question about to whom the statements were
made and whether they were relied on. I appreciate that both of these are technical arguments and don't resolve the
underlying bad karma of the position.
The second big question is: Was Super-user access actually used to create shortfalls?
We will never be able to know this definitively (see comments below about the lack of data) but, to my mind, we need to
build a case that the use of Super-user access was so exceptionally rare that it is a highly unlikely to be the cause of the
shortfalls in branches.
The draft letter sent over last night had a first stab at putting this down in writing. Attached is a slightly updated version.
It is the first question above that will be useful to discuss with POL tomorrow in order to take their temperature on (i) a
mea culpa and (ii) throwing FJ under the bus. For what it's worth, my current view is that we need to accept that POL
made untrue statements otherwise we end up trying to defend the indefensible.
Amy will send you tomorrow our working draft chronology of statements made by POL on the remote access question
(sorry its too big for me to send to you tonight — my laptop just won't cope!). I appreciate that you won't have time to read
this in full but it gives you a flavour of what has been said historically.
A
Andrew Parsons
Partner
Bond Dickinson LLP
Follow Bond Dickinson:
www.bonddickinson.com
From: Anthony de Garr Robinson [mailto
Sent: 10 November 2016 12:15
To: Parsons, Andrew; Owain Draper
Cc: Prime, Amy; Gribben, Jonathan
Subject: RE: Deloitte Report
Thanks, Andy.
At the risk of stating the obvious, the issues requiring further work or inquiry that are thrown up by your summary appear
to me to be as follows:
1. Section 4:
a. Para 4.4.1 — the missing 212k journal sequence numbers looks very bad (we have relied on the sequential
journal logs many times as a testament to the reliability of the system) and needs to be urgently chased up,
POL-BSFF-0163551_0001
POL00337340
POL00337340
with a view to establishing that it is not a problem for any shortfalls, or at least for any shortfalls relating
to any of the current claimants. What can be/is being done about this?
b. Para 4.4.2 — the 59 baskets not adding up to zero look bad too; what can be/is being done to establish that
(a) the 59 baskets are not a problem in any of the shortfall claims we are facing or may in future face,
and/or (b) that these 59 baskets do not reveal a wider problem/scope for indeterminacy in Horizon that
undermines its reliability in any given case?
2. Section 5:
a. Para 5.1 — the fact that we do not know whether there were balancing transactions or similar in legacy
Horizon looks very bad. What can we do to establish that there is no possibility of balancing or similar
transactions affecting branch data during the legacy Horizon period?
b. Para 5.4 — looks very good, except that the lack of any data for the period pre-12/03/10 period looks very
bad. What can be/is being done to establish the position in relation to this period? Is it the same period as
the legacy Horizon black period hole referred to above, or are the inquiries required here different to those
referred to above?
3. Section 6:
a.
Para 6.3.5 — Don't we obviously need (a) urgently to get hold of and check the logs for all super user
activity, and (b) urgently to establish that those logs cannot be altered, or am I missing something?
b. Para 6.6 — don't we obviously need to ensure that a full scale audit/check has been or will urgently be
done to ensure that all potentially discrepancies have been identified and shown to be irrelevant? Will
roblems that might otherwise be thrown up by the points made in paras 6.6.2, 6/.6.3 and
I would be interested to know whether these points are being addressed and if so how urgently. I would also be interested
to know what we will be able to say in our next letter, while further inquiries are being undertaken and various logs and
other data being obtained.
Best wishes,
Tony
From: Parsons, Andrew [mailt:
Sent: 10 November 2016 0%
Gribben, Jonathan
Tony, Owain
We're still trying to pin down Deloitte on the firm conclusions of their investigative work. I had hoped this would be
done by now but we've hit a few road bumps.
Nevertheless, please find attached (i) Deloitte's full report and (ii) a draft BD summary of the report - this has been
largely approved by Deloitte but should be treated with caution until finalised.
POL-BSFF-0163551_0002
POL00337340
POL00337340
I'm sending these now so you have sight of them before Monday. I'd recommend starting with our summary and then
reading appendix 7 to the main report. No need to read the full Deloitte report — it is long, technical and rather
repetitive but I've sent it in case you want it for reference.
Kind regards
Andy
Andrew Parsons
Partner
Bond Dickinson LLP
offices""GRO I
Follow trorurencrrnsone
www.bonddickinson.com
Please consider the environment! Do you need to print this email?
nly is authorised to access this e-
lete any copies. Unauthorised use,
The information in this e-mail and any attachment nd may be legally privileged a
please notify andrew.parson:
iis comininication or attachments is prohibi
mail and any attachments. If you are not arobinsorf
dissemination, distribution, publication or copying
Any files attached to this e-mail will have been checked by us with virus detection software before transmission. Bond Dickinson LLP accepts no liability for any loss or damage
which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it
This email is sent by Bond Dickinson LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our registered office is 4 More
London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the term partner to refer to a member of the LLP, or an employee or consultant
who is of equivalent standing. Our VAT registration number is GB123393627.
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority.
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
POL-BSFF-0163551_0003