WBON0000448
WBON0000448
From: Jane MacLeod 4
To: "Parsons, Andrew" 4
Ce: Rodric Williams 4
Subject: RE: Strictly Private & Confidential - Subject to Litigation Privilege [BD-
4A.FID26859284]
Date: Tue, 26 Jul 2016 20:37:39 +0000
Importance: Normal
Inline-Images: image003.png; image004.jpg; image005.jpg; image006.jpg; image007.png;
image008.png; image009.png; image010.png; image011.jpg; image012.png;
image013.png; image014.png; image015.png; image016.gif; image017. gif;
image018.png
Thanks Andy
This wording still feels a bit inflammatory. I’m not sure the following is necessarily any better and the line between
the legal and ‘publicity’ issue is a fine one...
My suggestion is:
1.3.4 Access to databases. Database and server access and edit permission is provided, within strict controls,
to a small, controlled number of specialist Fujitsu personnel. Our current understanding is that although it
may be possible theoretically to use these permissions in a way that could affect a branch's accounts, it is
unclear why any such permissions would be used by those specialists in such a way. Any such use of these
permissions in this way would, in any event, be logged and be subject to compliance with the specified
controls. [We have asked Fujitsu to advise whether such permissions have ever been used in this way.]
Thoughts?
Jane
® Jane MacLeod
General Counsel
Ground Floor
20 Finsbury Street
LONDON
EC2Y 9AQ
Mobile number:
From: Parsons, Andrew [mailtd _
Sent: 26 July 2016 18:14
To: Rob Houghton; Jane MacLeod
Cc: Rodric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield; Angela Van-
Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Litigation Privilege [BD-4A.FID26859284]
All
The description of the situation in points 1 — 3 in Jane's email accurately records our current understanding. To tackle
this issue, there are two work-streams ongoing:
1. Deloitte are investigating the key questions of (a) whether FJ can alter or delete records and if so (b) would
this leave a visible audit trail (to Post Office, FJ and/or SPMR).
2. We (BD/ POL) are putting together a chronology of statements made by (i) FJ to POL and (ii) POL to others.
We can then assess whether there have been any inaccurate representations of the position and, if so, what impact
this may have on the claims.
WBD_000318.000001
WBON0000448
WBON0000448
This work will not however be complete before Thursday's deadline for responding to Freeths (the due date for
Deloitte's work is mid-August and even then I suspect there may be follow-up enquiries that go beyond August). I
agree with Rob's suggestion that it would be preferable to understand the complete picture before saying anything, but
unfortunately time is against us. I also have in mind Tony's strong advice about being transparent on this point as far
as possible.
As to the Letter of Response, we can remove the wording in square brackets as per Jane's email. Doing so however
may make it seem like Super User access can definitely be used to affect branch accounts, when this is not 100%
certain. I have therefore proposed some alternative wording in the attached.
In terms of Paula contacting FJ, I can see this would help ensure that FJ continue to engage promptly and fully, subject
to two caveats:
1. I would not mention Bullet 5 in Jane's email. If FJ get a sense that Post Office is holding FJ responsible for
past statements, this may cause FJ to become defensive, making it more difficult to get information out of
them.
2. Paula needs to stick tightly to the remaining 4 bullets so not to accidentally waive privilege in circumstances
where there is a (perhaps remote) possibility of a claim against FJ.
All comments on the attached wording are welcomed.
Kind regards
Andy
Andrew Parsons
Partner
Follow Bond Dickinson:
Blin)
www.bonddickinson.com
From: Rob Houghton [mailto}
Sent: 26 July 2016 15:48
To: Jane MacLeod; Parsons, Andrew
Cc: Rodric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield; Angela Van-
Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Litigation Privilege
Before we do anything — I would suggest that we get a definitive view from Deloitte on the below.
e In essence therefore the difference would appear to turn on whether FJ can alter or delete records (a)
at all; and (b) if the answer to (a) is yes, and it does so, is there a visible audit trail? My understanding
of Deloitte’s initial findings is that the answer to (a) is yes and to (b) is ‘not necessarily’.
It hinges on the DBAs superuser ability to access and modify tables within FJ and we need Deloitte/ FJ/ POL to have
a very direct conversation on this. All the FJ statements are probably true through normal tools and capabilities.
The challenge is whether the DBAs have extra priveledge. Before we go too far down this line we need to
absolutely assure ourselves from Deloitte and FJ. Have we got any further detail from Deloitte yet?
R
From: Jane MacLeod
Sent: 26 July 2016 14:45
To: Parsons, Andrew
Cc: Rodric Williams; Patrick Bourke; Thomas P Moran; Tom Wechsler; Mark R Davies; Melanie Corfield; Angela Van-
WBD_000318.000002
WBON0000448
WBON0000448
Den-Bogerd; Rob Houghton
Subject: Strictly Private & Confidential - Subject to Litigation Privilege
Andy
I briefed our Group Executive this morning on the progress on the litigation and the planned positioning of the
various issues in the response letter due to be sent to Freeths at the end of the week. In particular, I commented
on the issues around the response to the remote access issue.
As expected there was significant concern around the apparent change in emphasis from previous public
statements, the resultant adverse publicity this may create, and the impact this may have on new ministers etc,
who will not have been briefed. The conclusion to the discussion was that we should include a statement in the
letter as planned, however we should re-consider the phrasing of this.
In responding to Freeths, we need to be cognisant of the following:
1. What did Fujitsu actually tell us about remote access?
e I haven’t as yet seen any further analysis on what statements we have received from FJ, however Mark
U found the email trail (below) last week.
¢ My (layman’s) interpretation is that what FJ said below is narrower than what we now believe to be
the case, and narrower than what we are now proposing to saying. The FJ response below says you
can add records (which would be visible via the audit trail) but infers that records can’t be changed or
deleted.
2. What we have previously said publically?
e Mark collated a range of statements (attached) which can be summarised by the statement made to
Panorama “Neither Post Office nor Fujitsu can edit the transactions as recorded by branches. Post
Office can correct errors in and/or update a branch's accounts by inputting a new transaction (not
editing or removing any previous transactions)”.
e In essence therefore the difference would appear to turn on whether FJ can alter or delete records (a)
at all; and (b) if the answer to (a) is yes, and it does so, is there a visible audit trail? My understanding
of Deloitte’s initial findings is that the answer to (a) is yes and to (b) is ‘not necessarily’.
3. Assuming the above is correct, we must then consider how to position our statement in the response to
Freeths.
For the avoidance of doubt, I understand the proposed statement to be:
“Database and server access and edit permission is provided, within strict controls, to a small, controlled number
of specialist Fujitsu personnel. Use of these permissions is logged but rare. [ Enquiries are continuing as to
whether this particular form of access could be used to affect a branch's accounts, and if so, whether this has
happened.]”
The challenge is whether we include the final sentence in square brackets. While this is the key issue from a legal
perspective as it goes to causation, the statement flags that we are concerned enough about it that we are doing
further work on it. So, my question is do we really need the final sentence? If as a result of the Deloitte work we
discover that the actual position is different from that which we have said already, then we will need to correct it in
any event. Do we gain anything by flagging the fact of this work now?
Separately, Paula has suggested that she speaks to the UK CEO of Fujitsu (Duncan Tait), and my suggestion would
be that she:
e alerts him to the fact and timing of the response letter
* notes that the question of remote access is still a live issue and major concern to the claimants
¢ notes the work being undertaken by Deloitte to review access rights and controls,
* expresses the desire that FJ [continue to] work constructively with Deloitte, and
e — flags that if the Deloitte work uncovers a different position to that which FJ and PO have publicly stated
over the years, then we will need to consider carefully how to manage the impact given that ultimately,
the outcome of such work will become public.
WBD_000318.000003
WBON0000448
WBON0000448
I'd be grateful for your thoughts.
PO team — the above is to keep you informed. In light of the sensitivity of the issues please do not forward Any
questions should be addressed to Andy, Rod or me in order to preserve privilege.
Thanks,
Jane
O Jane MacLeod
General Counsel
Ground Floor.
20 Finsbury Street
LONDON
EC2Y 9AQ
Mobile number:
From: Mark Underwood1
Sent: 19 July 2016 11:13
To: Patrick Bourke; Jane MacLeod; Rodric Williams
Cc: Parsons, Andrew
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
In reading through the LOR and pulling together bits for it, I stumbled across the below email for James Davidson
(then of Fujitsu)
I thought I would share as it may prove useful further down the line — depending where we get to with Deloitte on
‘Remote Access’.
Mark
From: Mark Underwood1
Sent: 08 December 2015 12:42
To: Mark Underwood1
Subject: FW: Strictly Private & Confidential - Subject to Privilege ariosing from M008 - Rivenhall
From: Davidson James
Sent: 17 April 2014 16:27
To: Rodric Williams
Cc: Harvey Michael; Newsome Pete
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
Please see Fujitsu’s response below.
Summary:
e — There is no ability to delete or change records a branch creates in either old Horizon or Horizon online.
Transactions in both systems are created in a secure and auditable way to assure integrity, and have either
a checksum (Old Horizon) or a digital signature (Horizon Online), are time stamped, have a unique
sequential number and are securely stored via the core audit process in the audit vault
* Whilst a facility exists to ‘inject’ additional transactions in the event of a system error, these transactions
would have a signature that is unique, sub-postmaster id’s are not used and the audit log would house a
record of these. As above, this does not delete or amend original transactions but creates a new and
additional transactions
WBD_000318.000004
WBON0000448
WBON0000448
e — This facility is built into the system to enable corrections to be made if a system error / bug is identified
and the master database needs updating as a result, this is not a unique feature of Horizon
e — Approvals to ‘inject’ new transactions are governed by the change process, 2 factor authentications and a
“four eyes’ process. A unique identifier is created and can be audited for this type of transaction within
HNGxX, Horizon would require more extensive work to investigate as explained below.
1. Can Post Office change branch transaction data without a subpostmaster being aware of the change? No
2. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change? Once
created, branch transaction data cannot be changed, only additional data can be inserted. If this is
required, the additional transactions would be visible on the trading statements but would not require
acknowledgement / approval by a sub-postmaster, the approval is given by Post Office via the change
process. In response to a previous query Fujitsu checked last year when this was done on Horizon Online
and we found only one occurrence in March 2010 which was early in the pilot for Horizon Online and was
covered by an appropriate change request from Post Office and an auditable log. For Old Horizon, a
detailed examination of archived data would have to be undertaken to look into this across the lifetime of
use. This would be a significant and complex exercise to undertake and discussed previously with Post
Office but discounted as too costly and impractical.
3. If not, where is the evidence for this conclusion? See Answer 2
4. If so:
a) How does this happen? See above
b) Why was this functionality built into the system design? To allow for data to be corrected if there
were any defects found in the system
c) Why would Fujitsu need to use this functionality? As above and under instructions from Post
Office Ltd.
d) What controls are in place to prevent the unauthorised use of this method of access? This is
achieved through a number of industry standard controls (RBAC, 2 factor authentication etc)
which are robustly audited under ISO 27001 / IAS 3402, Link, PCI.
e) When has branch data been accessed in this way in the past? See above
5. In relation to the Winn/Lusher email:
a) What is "message store"?This is the repository (or database) where all transactions were written
to in the old Horizon system
b) Can this be used to access and change branch records? /t can be used to access the records. Data
cannot be changed, but new data could be inserted into it. Any such inserted data would be
tightly controlled by operational processes explained above.
c) What is the "impact" of this change on branch records? The impact would depend on exactly
what records were inserted.
d) Would the subpostmaster be aware of this change? Yes, via the trading statement but spm’s are
not required to approve the change, this is provided by Post Office.
e) Why would this method of access be used? To correct errors if a software defect is identified.
f) What controls are in place to prevent misuse of this method of access? As above.
Regards,
James Davidson
Post Office
WBD_000318.000005
Fujitsu
Lovelace Read. Bracknell, R612 8SN
‘GRO i
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
& Please consider the environment - do you really need to print this email?
From: Rodric Williams [mailto!
Sent: 17 April 2014 15:25
To: Davidson James
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Thanks James.
Rodi Litigation Lawyer
148 Old Street, LONDON, ECIV 9HQ
Post Office stories
@postofficenews
©OHOOO®
marae
Sent: 17 April 2014 14:02
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
WBON0000448
WBON0000448
Just to update, I have a response in draft following a review the technical guys. I have passed this to legal for
review and expect this back this pm. Will advise as soon as I have the go ahead to release.
Regards,
James Davidson
Post Office
Fujitsu
fou
oG«
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
= Please consider the environment - do you really need to print this email?
WBD_000318.000006
WBON0000448
WBON0000448
From: Rodric Williams [mailto
Sent: 14 April 2014 15:59
To: Davidson James
Subject: Strictly Private & Confidential - Subject to Privilege
James,
Could Fujitsu please answer the questions below so that we can respond to a specific challenge put to us by
Second Sight in connection with a Mediation Scheme complaint, namely that:
“the Andy Winn/Alan Lusher email in the case of Ward [...] explicitly states that Fujitsu can remotely change the
figures in the branches without the SPMs’ knowledge or authority".
The Winn/Lusher email is attached. The part of the email in question is:
“Fujitsu have the ability to impact branch records via the message store but have extremely rigorous procedures in
place to prevent adjustments being made without prior authorisation - within POL and Fujitsu these controls form
the core of our court defence if we get to that stage.”
Questions:
6. Can Post Office change branch transaction data without a subpostmaster being aware of the change?
7. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change?
8. If not, where is the evidence for this conclusion?
9. If so:
a) How does this happen?
b) Why was this functionality built into the system design?
c) Why would Fujitsu need to use this functionality?
d) What controls are in place to prevent the unauthorised use of this method of access?
e) When has branch data been accessed in this way in the past?
10. In relation to the Winn/Lusher email:
a) What is "message store"?
b) Can this be used to access and change branch records?
c) What is the "impact" of this change on branch records?
d) Would the subpostmaster be aware of this change?
e) Why would this method of access be used?
f) What controls are in place to prevent misuse of this method of access?
Please let me know if it would be easier to address these in a phone call in the first instance.
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
148 Old Street, LONDON, EC1V 9HQ
Office
©OOOGO®
@postofficenews
WBD_000318.000007
WBON0000448
WBON0000448
——————
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited,
or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and
may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it
is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited,
or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and
may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it
is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U.
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
WBD_000318.000008
WBON0000448
WBON0000448
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
JES OSES CICS AG IACI GEIS IG SIE IGRICICCORI TC IACICCICI ICICI ACACIA ACI AAA
This email and any attachments are confidential and intended for the addressee only. If you are not the
named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this
communication. If you have received this in error, please contact the sender by reply email and then delete
this email from your system. Any views or opinions expressed within this email are solely those of the
sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury
Dials, 20 Finsbury Street, London EC2Y 9AQ.
ZS EES SISISE SSIES SSIES OSIES I GEIEISII ASI AICI ISIC KIC KIS I AIK AAI Acai acai ok a aca ak o
Please consider the environment! Do you need to print this email?
nd any attachments is confidential a
The information in this e-mail privileged and protected by law, jane,macleodt” nly is authorised to
access this e-mail and any attachments. If you are not jane.macle ‘GRO. J, please notify andrew,parsong ‘GRO. $5 Soir 4 Possible and delete any
copies. Unauthorised use, dissemination, distribution, publication oF copying of this communication or attachments 1s prohibited and may be unlawful
es attached to this e-mail will have b ed by us with virus detection software before transmission, Bond Dickinson LLP accepts no liability for any loss or
ie which may be caused by software viruses and you should carry out your own virus checks before opening any attachment
Content of this email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it.
This email is sent by Bond Dickinson LLP which is a bility partnership registered in Eng
London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We
consultant who is of equivalent standing. Our VAT registration number is GB123393627.
and Wales under number 0C317661. Our registered office is 4 More
term partner to refer to a member of the LLP, or an employee or
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority
WBD_000318.000009