WBON0000283
WBON0000283
From: Johann Appel ¢ ° GRO
To: Angela Var
Hamilton; j
2 Gi Hooton } Lucy Bremner
}, Mark Underwood 1 {~~ GRO
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial
Date: Fri, 26 Oct 2018 13:43:04 +0000
Importance: Normal
Inline-Images: image005.png; image011.jpg; image012.png; image013.png; image014.png;
image015.png; image016.png; image002.jpg
>, Catherine
Angela,
As Garry has mentioned, this report precedes the existence of Post Office Internal Audit. In addition, we do
not routinely track actions raised by external audit.
I will contact CoSec to see if the ARC papers and minutes provide more information. I will also look at
subsequent EY reports to see if these findings were raised again in the following year.
Best regards,
Johann
®
Johann Appel
Head of Internal Audit
Ground Floor
20 Finsbury Street
LONDON EC2Y 9AQ
4
?
From: Angela Van-Den-Bogerd
Sent: 26 October 2018 12:22
“}; Johann Appel
Underwood! <. ___GRO
WBD_000153.000001
WBON0000283
WBON0000283
Subject: URGENT PLEASE- Information needed for GLO Horizon issues Trial
Importance: High
Catherine, Johann,
As part of the Post Office litigation, WBD our external lawyers are drafting our witness statements with us in
response to allegations made by the other side. The one I need your help with in is respect of Jason Coyne,
the Claimants' IT expert who refers to an audit document produced by E&Y in 2011 (see attached) which
identified issues with the credence application, namely weak change controls within the back end of the
systems allowing Logica developers (the third-party provider) to move their own uncontrolled changes into
the production environment. He goes on to say that "further documentation to approve fixes and patches
applied to Credence outside of the release process were lacking, therefore linking changes to issue tickets to
record the original request for the bug fix was not possible".
We need to understand whether these comments are correct and whether anything changed in light of the
report.
My expectation is that we as a business would have taken action as a result of these findings by E&Y and
would have documented what that action was. I understand from speaking with Garry that we didn’t have
own POL internal audit function at the time as this was within the Royal Mail group structures.
Mark Hotson has already provided some information (email below) but that is about current practices rather
than in 2011 following the E&Y report.
Could I ask that you both consider the initial request from Lucy (first email in chain) and provide responses
evidence we provide to the Court.
As I’m sure you'll understand this is urgent as we are on a court deadline to submit our witness statements
by 4pm on 13!" November but we need to get our draft statements to our Counsel early next week. So could I
request that you give this your most urgent attention.
Any queries please come back to me in the first instance.
Thanks,
Angela
WBD_000153.000002
WBON0000283
WBON0000283
1 Floor, Ty Brwydran,
@® Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
SA7 9FJ
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
From: Mark Hotson
Sent: 25 October 2018 18:56
To: Angela Van-Den-Bogerd 4. GRO. >
Ce: Somita Yogi < <
Subject: Fwd: Horizon issues - witness evidence TWEDUK. -AC.FID27032497]
Hi Angela,
Just picked your email exchange up with Lucy.
Please find enclosed the response that I provided her with earlier today.
Regards,
Mark
Get Outlook for Androi
From: Mark Hotson
Sent: Thursday, October 25, 2018 11:17:24 AM
To: Lucy Bremner
WBD_000153.000003
WBON0000283
WBON0000283
Ce: Mark Underwood1; Jonathan Gribben
Subject: RE: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Morning Lucy,
Further to the below, I have discussed the attached document, specifically items referenced “12”, “13” and
“14”, internally and provide the following updates. These responses are based on current knowledge as those
consulted were also not employed by POL at the time when the audit report was written:
Generally, since the report was written there has been:
1. A change to the IT Supplier (from: CMG Logica to: Accenture).
2. An upgrade to the application (from: Business Objects v3.1 to: v4.1).
3. A re-platform of the underlying database (from: a mix of CMG Logica locally-hosted (non-
production) environment and a Fujitsu hosted (production) environment to: Microsoft Azure
cloud hosting for non-production and production.
“12 - Credence (back end) change process”
e “Developers at Logica, the third party provider of application development and support for Credence,
had access rights to the production environment and the database that would permit developers to
move their own changes into the production environment.”
e “Documentation to approve fixes and patches that are applied to Credence outside of the release
process does not always exist. We were advised by Logica personnel that for a sample of four changes
selected evidence of approval to move into production did not exist and that it would not be possible to
link the changes to problem tickets to record the original request for the fix / patch.”
All changes* are under the control of Accenture and are subject to a robust Change Management
process. *These changes include: fixes — planned and emergency, project changes and security changes.
Each change is subject to approval at the “CAB” (Change Approval Board)
Further to this, as the hosting is now Microsoft Azure the implementation of patches and fixes are
subject to Microsoft security best practices.
“13 - Credence (front end) change process”
e = “During our walkthrough of user administration of the front end of Credence we noted several users with
administrator rights, including some generic users (this is noted below as a separate point). These users
WBD_000153.000004
WBON0000283
WBON0000283
have the access rights to create and amend reports, including those which may be relied upon for audit
evidence. These users can change report design, and processing without documented request, test or
approval.”
° “When users have the rights to change reports that are used by the business for reconciliation, exception
reporting or other processing, there is the risk that the reports are manipulated either intentionally or
accidentally.”
Users with administrator rights now purely carry out administrator tasks only, i.e. no reports are created
or amended by users with such rights.
In addition, a Power App has been implemented which logs and controls requests for change (new and
existing reports) carried out by POL personnel. Similarly, requests for changes/new reports that are
assigned to Atos information Services are logged and controlled via the Atos Service Catalogue.
“14 - Credence (front end) configuration”
“We noted several control weakness in Credence front end user administration and security configuration:
1. The password configuration is not aligned with network settings or those settings required by Post Office. We
noted:
a. there is no minimum password length
b. Password complexity rules are not applied
c. users are not required to change their password
d. password history is not retained
e. idle session time-outs are not in place”
The below screenshot provides the current (as at 25/10/2018) Business Objects Central Management Console
enterprise settings relating to passwords — this addresses the above:
WBD_000153.000005
WBON0000283
WBON0000283
Enterprise
Password Restrictions
[Enforce mixed-case passwords
[O Enforce numeral in passwords
(1) Enforce special character in passwords
[ Must contain at least N characters where NN is: 6
User Restrictions
[Must change password every N day(s): 30
[& The system cannot reuse the N most recent passwords): 3
[Must wait N minute(s) to change password: s
Logon Restrictions,
[Disable account after N failed attempts to log on: 10
Reset failed logon count after N minute(s): s
Re-enable account after N minute(s): s
Synchronize Data Source Credentials with Log On
Enable and update user's Data Source Credentials at logon time
Trusted Authentication
1] Trusted Authentication is enabled
No shared secret available. New d Secret] Download Shared SecretI
Shared Secret Validity Period (days):
Trusted logon request is timeout after N milisecond(s) (0 means no limit):
Update] Reset]
e = “There are three generic administrator accounts without specific users assigned to these accounts. One of
the three accounts has not been used since April 2009.”
Only 1 full Administrator account remains which is used for administrative activities only by the POL
Credence Administrator.
e “The process for requesting and granting user access rights to Credence does not maintain documentation
to record evidence of request or approval of access rights.”
This activity is now governed and controlled by the IT Service Desk. Service tickets are used to log and
control requests.
e = “There is no process in place for the revocation of user access rights when a user separates from the
organisation or moves to a new role no longer requiring access rights to Credence.”
Housekeeping is actively performed on a regular basis and redundant user accounts are terminated
accordingly.
With regards,
Mark
WBD_000153.000006
WBON0000283
WBON0000283
Mark Hotson
Senior Data & Process Specialist
Hen
@&
Winner of the
Global Postal Award
for Customer West Bars,
Experience CHESTERFIELD
Data Centre of Excellence
Not Future Walk,
Derbyshire, S49 1PF
Annual Leave Advanced Notification:
24th December 18 — 11" January 19
From: Mark Hotson
Sent: 24 October 2018 1
To: 'Lucy Bremner'
Ce: Mark Underwood] } GRO § Jonathan Gribben
CGRO_I -
: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Hi Lucy,
Whilst I am more than willing to try and help I wasn’t working in POL in 2011!
I'll come back to you in the morning after I’ve had some conversations internally.
Regards,
Mark
2017 Winner of the Mark Hotson
Global Postal Award Senior Data & Process Specialist
for Customer
WBD_000153.000007
WBON0000283
WBON0000283
® Data Centre of Excellence
Not Future Walk,
West Bars,
Experience CHESTERFIELD
Derbyshire, S49 1PF
24" December 18 — 11" January 19
From: Lucy Bremner I GRO j
Sent: 24 October 2
To: Mark Hotson ¢.
Ce: Mark Underwood1
~}>; Jonathan Gribben ¢
Subjec' ‘Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Dear Mark,
As part of the Post Office litigation we are drafting witness statements in response to allegations made by the other
side. I have been in contact with Paul Smith, who has pointed me in your direction in relation to one of the issues we
need to respond to.
Jason Coyne, the Claimants’ IT expert, refers to an audit document produced by E&Y in 2011 (see attached) which
identified issues with the credence application, namely weak change controls within the back end of the systems
allowing Logica developers (the third-party provider) to move their own uncontrolled changes into the production
environment. He goes on to say that "further documentation to approve fixes and patches applied to Credence outside
of the release process were lacking, therefore linking changes to issue tickets to record the original request for the bug
fix was not possible".
We need to understand whether these comments are correct and whether anything changed in light of the report.
As we need this information urgently, can you let me know if you are the right person to answer this and if so, can we
set up a call for later today/tomorrow morning to discuss?
Kind regards,
WBD_000153.000008
WBON0000283
WBON0000283
Lucy
Lucy Bremner
Associate
Womble Bond Dickinson (UK) LLP
‘Stay informed: sign up to our e-alerts
WOMBLE womblebonddickinson.com
BOND
DICKINSON v fin)
Please consider the environment! Do you need to print this email?
The information in this e-mail and any attachments is confidential and
be legally privileged and protected by law. markhotsor only is authorised to
please notify Juey.bremnet
of this communication or attachments is prohibited and may be unlawful. Information about how we use
ail and any attachments. If you are not mark. hotsor
access this ¢
_}s soon as possible and delete any copies.
Unauthorised use, dissemination, distribution, publication or copyin;
personal data is in our Privaey Policy, on our website.
Any files attached to this e-mail will have been checked by us with virus detection software before transmission. Womble Bond Dickinson (UK) LLP accepts no liability for
any loss or damage which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it.
‘This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our
office is 4 More London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the tem parner to refer toa member ofthe LLP, or an
(Our VAT registration number is GB12. 7.
employee or consultant who is of equivalent standi
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (International) Limited, which consists of independent and autonomous law firms providing
services in the US, the UK, and elsewhere around the world. Each Womble Bond Dickinson entity is a separate legal entity and is not responsible for the acts or omissions of,
nor can bind or obligate, another Womble Bond Dickinson entity. Womble Bond Dickinson (International) Limited does not practice law. Please se
www.womblebonddickinson.convlegal notices for further details,
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority
JS ISIS ISIE SI ISISISI I ISIE SIOIGISIS ICISISI ICICI ICICI ICICI I SIO CCCI KC ACI A CIR ACAI OK CA Ho ae
This email and any attachments are confidential and intended for the addressee only. If you are not the
named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this
communication. If you have received this in error, please contact the sender by reply email and then delete
this email from your system. Any views or opinions expressed within this email are solely those of the
sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury
Dials, 20 Finsbury Street, London EC2Y 9AQ.
AE SSE SSSA SIGS SEES SSIES I GEGISICI ARI ICI CICK ACI CK AICI ACAI A a aaa ocak ok a ae ak o
“Post Office Limited is committed to protecting your privacy. Information about how we do this can be
found on our website at www.postoffice.co.uk/privacy”
WBD_000153.000009