Strictly confidential, commercially sensitive and legally privileged draft
InitielComplaint Review and Mediation Scheme
Horizon Data
WBONO000327
WBON0000327
‘Commented [MU3]: I have deleted to remove SS from the
‘equation.
This question is often phrased by Applicants ias:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is
of concern to Second Sight and Applicants. It refers generically to
"Horizon" but more particularly is about the transaction data recorded
by Horizon. Also, the word "access" means the ability to read
transaction data without editing it - Post Office / Fujitsu has always
been able to access transaction data however it is the alleged
capacity of Post Office / Fujitsu to edit transaction data that
appears to be of concern. Finally, it has always been known that Post
Office can post additional, correcting transactions to a branch's
accounts in ways that are visible to Subpostmasters (i.e. Transaction
Corrections and Transaction Acknowledgements) - it is the potential
for any hidden method of editing data that is of concern.
Thus, this papef addresses the questdon:
Can Post Office or Fujitsu edit transaction data without the knowledge
of a Subpostmaste:
addressed ‘Commented [MU2]:
equation.
hhave deleted to remove SS from the
In summary, Post Office confirms that neither it nor Fujitsu can edit
transaction data without the knowledge of a Subpostmaster.
This document
This document provides a generic response to the general question
posed above. It is noted that, as yet, neither Second Sight_or any
Applicant haves-net presented Post Office with a specific evidenced
example of data irregularities or anomalies that may suggest data
integrity issues. Nevertheless, Post Office is prepared to
investigate incidents alleged by claimants as part of the Complaint
and Mediation Scheme providing that is clearly identified (by at
least the date, and preferably also the approximate time ) in an
Applicant's Case Questionnaire Response.
WBD_000197.000001
Strictly confidential, commercially sensitive and legally privileged draft
This document has been prepared with the assistance of Fujitsu and the
Post Office ITsC Team. Both have approved this document as being
accurate.
Response
In simple terms:
. Transactions are recorded in branches by Subpostmasters and
their staff.
. The transaction data is transmitted froma branch Horizon
terminal to the Post Office data centre.
. At the data centre, the transaction data is stored on a secured
server called the Audit Storey
. The transaction)data in the Audit Store is what is considered to
be the source for "branch's accounts"
There is no functionality in Horizon for either a branch, Post Office
or Fujitsu to edit, manipulate or remove a transaction once it has
been recorded in a branch's accounts.
The following safeguards are in place to prevent such occurrences:
. Transmission of baskets of transaction data between Horizon
terminals in branches and the Post Office data centre is
cryptographically protected through the use of digital
signatures.
. Baskets must net to nil before transmission. This means that
the total value of the basket is nil and therefore the correct
amount of payments, goods and services has been recorded in the
basket. Baskets that do not net to nil will be rejected by the
Horizon terminal before transmission to the Post Office data
centre.
. Baskets of transactions are either recorded in full or discarded
in full - no partial baskets can be recorded to the Audit Store.
. All baskets are given sequential numbers (known as Journal
Sequence Numbers or JSNs) when sent from a Horizon terminal.
This allows Horizon to run a check at the Data Centre for
missing baskets (which triggers a recovery process) or
WBONO000327
WBON0000327
WBD_000197.000002
Strictly confidential, commercially sensitive and legally privileged draft
additional baskets that would cause duplicate numbers (which
would trigger an exception error report to Post Office /
Fujitsu).
All transaction data in the Audit Store is digitally sealed -
these seals would show evidence of tampering if anyone, either
inadvertently, intentionally or maliciously, tried to change the
data within a sealed record.
.
Automated daily checks are undertaken on JSNs (looking for
missing / duplicate baskets) and on the digital seals (looking
for evidence of tampering).
Although once recorded a transaction cannot be edited or deleted,
transactions (including negative transactions) can be added to a
branch's accounts in the following ways only:
In branch
Branch staff record additional transactions during their normal
daily use of Horizon. So long as they are logging on with their
own unique User ID and not sharing User IDs and passwords within
a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post
Office or Fujitsu to log on to a branch terminal of Horizon
remotely in order to edit transactions recorded by Branch staff.
It is possible for Fujitsu to view branch data in order to
provide support and conduct maintenance but this does not allow
access to any functionality that could be used to edit branch
data.
I
WBONO000327
WBON0000327
‘Commented [D33]:
‘The system has been designed so that transaction data
‘cannot be edited, only new transactions added via standard
‘operating processes. All access to systems are logged and
‘access is segregated following IS027001 principles (this
‘audited annually).
MU - so itis correct ina sense as it is not possible to edit
{data and any malicious additional transactions, by the nature
that they are added, would therefore leave at least some kind
of footprint.
‘Commented [GT4]: Again essentially yes. t would be
‘possible for us to rettieve data from the audit store without
‘doing these checks, but f the data is being used in support of
‘prosecution or such ke then these checks are aba
made.
eae FJ to provide an answer. I presume ]
the answer is yes
WBD_000197.000003
Strictly confidential, commercially sensitive and legally privileged draft
I
There is the capability for Post Office employees to log on to a
branch terminal locally (i.e. by being physically in a branch)
using a new User ID and password and then conduct transactions.
This would only be done in special circumstances (such as when
defunding a branch following a branch closure). Any
transactions conducted would be recorded against that new User
ID and not against the User ID of any branch staff.
wo
TAs and TCs
Post Office can send transaction acknowledgements (TA) or
transaction corrections (TC) to branches. TAs are used to
record transactions that have been processed in branch through
other systems (eg, the sale of Lottery products on the Camelot
terminal) and TCs to correct errors made by branches.
Both TAs and TCs need to be accepted by a user logged into the
branch Horizon terminal before they are recorded in the branch
accounts. They are therefore fully visible to each branch.
Balancing Transactions
Fujitsu (but mot Post Office) can manually inject a new
transaction into a branch's accounts using the Balancing
Transaction Process. This process is used in the event of an
accounting error that cannot be corrected by use of a TA or TC
and it is in accordance with good industry practice to have
functionality of this nature in a system like Horizon.
WBONO000327
WBON0000327
‘Commented [MU6,
I: The below assurances need to be I
[t
Provided in more detail. Examples, detailed by response,
below:
How? Can we give a ‘walked through’
‘Commented [MU7;
‘example of how the systems design prevents misuse?
‘Commented [MUS]:
What does this footprint look like?
What (footprint) variations exist?
‘Commented [MU9;
‘Can we describe what typical branch data looks lke VS data
that would be considered inconsistent?
‘When inconsistent data is apparent / suspected (How?) ~
what is the subsequent process?
ic
[MU10]: Noted — I will find this out )
WBD_000197.000004
WBONO000327
WBON0000327
Strictly confidential, commercially sensitive and legally privileged draft
‘Commented [MU11]: Further tothe final question in this
Paper
‘Could we be provided with all the information related to this
incident so that we can judge, once we pul together all the
information supplied together, whether or not the below
‘questions stil require bottoming out?
‘Commented [D312]: Note - itis not possible to edit
‘existing transaction / basket data as detailed earlier.
‘Commented [D313]: These are new transactions with
‘unique jsn’s and identifiers
‘Commented [D314]: Note — there are no records held on
branch terminal.
i
‘Commented [D315]: See details of incident in March 2010
{or details on how this process works
The use of this process is strictly controlled by Post Office.
For a transaction to be manually injected:
(Commented [D316]: Same as above )
These access controls meet industry good practice standards and
are audited under IS027001,and by LINK (the industry body for
ATMs) and PCI (card payment compliance) .
Injected Balancing Transactions are visible in the branch's
accounts and so the injected transaction will be visible to a
Subpostmaster. The transaction is also attributed to a unique
transaction ID used only for these type of transactions. It is
not recorded against the User ID of any member of branch staff.
(Commented [D317]: See incident in March 2010 for details }
I
WBD_000197.000005
WBONO000327
WBON0000327
Strictly confidential, commercially sensitive and legally privileged draft
This process is materially the same for Horizon and Horizon
Online.
This use of Balancing Transactions is incredibly rare. Within
the Audit Store is an audit log that automatically records any
use of Balancing Transactions. This log shows that a Balancing
Transaction has only be used once in the last 7 years (being the
retention period for the log). A Balancing Transaction was
injected on 3 March 2010 and only affected one branch (FAD code:
226542 - which is not a branch under review in the Scheme).
Post Office Limited
WBD_000197.000006