WBON0000492
WBON0000492
Postmaster Group Litigation
Confidential and legally privileged
DRAFT DEFENCE
HORIZON RELATED SECTIONS
Fujitsu
35. As to paragraph 20, Post Office has provided to the Claimants a copy of its contract with
Fujitsu dated 31 March 2016 (“the 2016 Fujitsu Contract”). The Claimants have not
identified any reasons for thinking that any other agreements between Post Office and Fujitsu
are required for them properly to plead their generic claims. Nor have the Claimants
identified any respects in which the redactions to the 2016 Fujitsu Contract have prejudiced
their ability to plead their case on the relationship between Post Office and Fujitsu. The
redactions were made in order to preserve commercially sensitive information and/or
because the redacted content was irrelevant to the issues in this case. Save as aforesaid,
paragraph 20 is admitted.
36. As to paragraph 21: [TO BE REVISITED ONCE WE HAVE RECEIVED THE
WRITTEN COMMENTS PROMISED BY FUJITSU]
(1)
uv
s
3
&
EI
ae]
=
&
5
B
z.
é
Es
(2) Paragraph 21.2 is admitted.
(3) As to paragraph 21.3, Fujitsu’s role includes identifying and remedying coding errors
and bugs in Horizon as pleaded in paragraph [XX] above. However, it is not its role to
change the transaction or accounting data on Horizon or to identify and remedy coding
errors in bugs in a manner that adversely affects such data. [TO DISCUSS — DID IT
4A_36289756_1 1
WBD_000362.000001
4)
WBON0000492
WBON0000492
As to paragraph 21.4, it is admitted that until 17 June 2014 Fujitsu provided a telephone
advice service to Post Office in relation to technical problems with the Horizon system
or equipment. ‘This service was mainly used by Post Office staff (such as staff working
on the Helpline referred to in paragraph [XX] below), but sometimes Fujitsu staff
would have direct contact with third parties such as Subpostmasters in order to obtain a
better understanding of the problem on which it was asked to advise [CORRECT
SUMMARY?]. However, from 17 June 2014, this telephone advice service was
provided by [INSERT FULL NAME OF AOS}.
Bugs, ervors or defects in Horizon
37. As to paragraph 22:
(1)
4A_36289756_1
If and to the extent that the Claimants wish to assert that any of the shortfalls for which
they were held responsible were Horizon-generated shortfalls, it is for them to make
that distinct allegation and seek to prove it. Post Office notes that they do not make
the allegation in the GPoC. It further notes that, in paragraph 20 of their solicitors’
letter to Post Office’s solicitors dated 27 October 2016, the Claimants make it clear that
they do not allege that there is a systematic flaw in Horizon or indeed any flaw which
has caused any Claimant to be wrongly held responsible for any shortfall.
WBD_000362.000002
WBON0000492
WBON0000492
(2) _ Itis denied that Post Office has unreasonably or otherwise failed to provide “obviously
relevant disclosure” in relation bugs, errors or defects in Horizon. There has been no
order or application for disclosure and, in the premises set out above, there appears to
be no basis for providing such disclosure.
38. Paragraph 23 is embarrassing for its lack of particularity, in that (amongst other things) it does
not identify the errors, bugs or defects the Claimants rely on or how “large” their number was
or the period in which they are said to have occurred and nor does it identify the transaction
data that Fujitsu is alleged to have rebuilt, how “frequent” was the need to rebuild it or the
extent of the “risk of error” which is said to have been introduced. In the premises, Post
Office cannot plead to the first three sentences of this paragraph. However: [TO BE
(1) AILIT systems experience software coding errors or bugs which require fixes to be
developed and implemented. Horizon is no exception. For a system of Horizon’s
scale, Post Office would characterise the number of errors or bugs in Horizon requiring
fixes as relatively low [CORRECT?]. In any event, as is noted in paragraph [XX]
below, there are robust measures in place for their detection, correction and
remediation.
(2) AILIT systems involving the transmission of data over the internet experience data or
data packet errors during transmission and they routinely have protective measures in
place to prevent such errors creating any difference between the data transmitted and
the data received and retained by the recipient. Horizon has robust controls making it
extremely unlikely that transaction data input in a branch would be corrupted when
being transferred to, and stored in, Post Office's data centre in a manner that would not
be detected and remedied.
(3) Like all IT systems, Horizon has backups to guard against any loss of data due to local
hardware failure. Where hardware fails, the data on that hardware is recovered from
the backup. Post Office does not recognise the term “rebuild” and it does not accept
that there is a “frequent” need to recover data from backups.
(4) Itis admitted that Fujitsu maintain a “Known Error Log”. This is not used by Post
Office and nor is it in Post Office’s control. To the best of Post Office’s information
and belief, the Known Error Log is a knowledge base document used by Fujitsu which
4A_36289756_1 3
WBD_000362.000003
WBON0000492
WBON0000492
explains how to deal with, or work around, minor issues that can sometimes arise in
Horizon for which (often because of their triviality) system-wide fixes have not been
developed and implemented. It is not a record of software coding errors or bugs for
which system-wide fixes have been developed and implemented. To the best of Post
Office’s knowledge and belief, there is no issues in the Known Error Log that could
affect the accuracy of a branch's accounts or the secure transmission and storage of
transaction data. [THIS PARA SHOULD BE CHECKED CAREFULLY BY
39. In paragraph 24, the Claimants combine many allegations together. Post Office separates out
and addresses those allegations in paragraphs [XX] below. [EACH OF PARAS 40-43
40. As to paragraph 24.1, it is a truism that errors or bugs in an IT system and data or data packet
errors have the potential to create errors in the data held in that system. Horizon is no
exception. However, Horizon has at all material times included technical features and control
measures to reduce to an extremely low level the risk an error in the transmission, replication
and storage of the transaction record data. These have varied from time to time and they
currently include the following:
(1) I Horizon creates, transmits and stores transaction data in the form of “baskets”. A
basket is a complete transactional session between a customer and Post Office and may
include one, several or many individual transactions taking place within the same
session (for example (1) a cash deposit, (2) a purchase of stamps and (3) the payment of
a utility bill). Horizon will not accept a basket of transactions that does not net to zero
(Le. the value of any sales is set off by the value of any payment made or received).
This reduces greatly the risk of any error in the data within any given basket.
ion to the central
(2) Ifa basket of transactions fails properly to complete its transmi:
database (because, for example, of a power loss), the system rejects any partial
transmission and request the full basket from the branch terminal. This reduces greatly
the possibility of baskets of transactions failing to be recorded.
(3) At the point of a basket being accepted by Horizon, it is assigned a unique sequential
number (a “JSN”) that allows it to be identified relative to the other baskets
4A_36289756_1 4
WBD_000362.000004
WBONO000492
WBON0000492
transmitted by that branch. This reduces greatly the risk of recording duplicate baskets
or there being a missing basket.
(4) Each basket is also given a digital signature, i.e. a unique code calculated by using
industry standard cryptography. If the data in the basket were to change after the
digital signature was generated, this would be apparent upon checking the digital
signature.
(5) Initial data integrity checks are undertaken when baskets are received at the Post Office
data centre from a branch. Baskets are then copied from the central database to the
Audit Store where a digital seal is then applied (the “Audit Store Seal”). If the baskets
and/or the data within the baskets were altered after the application of the Audit Store
Seal, this would be apparent when the baskets were extracted from the Audit Store.
© — Horizon and the above controls are themselves subject to various audits and checks
including audits carried out by third parties.
41. Further as to paragraph 24.1, in addition to the technical controls referred to above, there are
several operational procedures and practices conducted by Post Office and Subpostmasters.
that serve to increase the reliability of the data stored in the central database as an accurate
record of the transactions effected on branch terminals. These currently include the
following:
(1) I For many transaction types, Post Office compares its own transaction record against
the corresponding records held by Post Office clients. If an error in Horizon were to
result in the corruption of transaction data, this should be revealed by the comparison.
(2) There are detailed procedures in place to address the risk of data loss resulting from
interrupted sessions, power outages or telecommunications failures in branches. These
are set out [WHERE AND IN WHICH MANUAL ARE THESE SHOWN?] and
Horizon guides the system user through the recovery process (which include
completing any transactions that are cut short). These procedures should prevent any
data errors arising from interrupted sessions, power outages and telecommunications
failures.
(3) The display of the transactions being effected on-screen at the branch terminal allows
the user of the system to identify any inconsistency between the information shown on
4A_36289756_1 5
WBD_000362.000005
@)
6)
WBONO000492
WBON0000492
the screen and the transaction that the user has keyed into the system. If, for example,
a hypothetical bug in the terminal were to cause a key-strike on number 5 to be
recorded as an input of number 6, this would be detected rapidly by system users (given
the large number of system users and the huge number of transactions effected on
Horizon).
The accounting and record-keeping obligations placed on Subpostmasters reduce the
risk of any errors going undetected. For example, there is an obligation for each branch
to produce a cash declaration every day, which increases the likelihood of promptly
detecting any overstatement or understatement of the cash position on Horizon. If a
Subpostmaster detects that an error has been made at an early stage, its cause is more
likely to be identified.
Fujitsu operates industry standard processes for developing and updating Horizon and
for investigating and resolving any identified potential system errors.
42. As to paragraph 24.2, Post Office admits that, like all other IT systems, Horizon is not a
perfect system which has never had any errors or bugs. However, as indicated in paragraph
[XX] above, it has robust systems in place to identify them, fix them and correct their
consequences (if any).
43. As to paragraph 24.3:
(ty
2)
There have been occasions on which bugs or errors in Horizon have resulted in
discrepancies and thus shortfalls in some branch accounts, as outlined in Schedule 6 of
the Letter of Response. Without prejudice to the burden of proof, none of the
branches affected are branches for which the Claimants were responsible
On each occasion, both the bugs or errors and the resulting discrepancies in the
relevant branch accounts were corrected. Post Office took steps to ensure that it had
identified all branches affected by the bugs or errors and that no Subpostmaster was
ultimately held responsible for any resultant shortfalls. (Where the bugs or errors
resulted in net gains, however, Post Office typically allows Subpostmasters to retain
them.)
44. As to paragraph 24.4:
4A_36289756_1
WBD_000362.000006
WBON0000492
WBON0000492
(1) Paragraph [XX] above is repeated.
(2) Paragraphs 4.1 to 4.5 of Schedule 6 to the Letter of Response relate to the so-called
Suspense Account Bug. Without prejudice to the burden of proof, none of the
branches affected by the Suspense Account Bug are branches for which the Claimants
were responsible.
(3) I None of the Subpostmasters whose branches were affected by the Suspense Account
Bug was ultimately held responsible for the shortfalls that it generated. The Claimants
are therefore wrong to understand Post Office as having admitted that it “recovered
such alleged shortfalls from Subpostmasters”. Where Subpostmasters in the affected
branches had made good or settled centrally shortfalls that were later corrected, those
Subpostmasters received a payment or credit to the value of the shortfall.
Remote editing of branch transaction data
45. Paragraph 25 appears to be concerned with the deletion or editing of transaction data input
by or on behalf of Subpostmasters without the consent of the relevant Subpostmaster.
Accordingly, Post Office assumes that it is not concerned with transactions such as
Transaction Corrections which are sent to branches but must be accepted by or on behalf of
the Subpostmaster before forming part of his or her branch account. As to the circumstances
in which such transaction data can be altered without the consent of the Subpostmaster: [TO
(1) Neither Post Office nor Fujitsu has the ability to log on remotely to a Horizon terminal
in a branch so as to conduct transactions.
(2) A Post Office employee with “global user” authorisation can, when physically present
at a branch, use a terminal within the branch to add a transaction into the branch’s
accounts. The purpose of “Global User” authorization is to allow access to the systems
for during training and/or audits. Any transactions effected by a Global User are
recorded against a Global User ID and are readily identifiable as such.
(3) Fujitsu (and not Post Office) has the ability to inject transactions into branch accounts
(since the introduction of Horizon Online in 2010, transactions of this sort have been
4A_36289756_1 7
WBD_000362.000007
WBON0000492
WBON0000492
called “Balancing Transactions”). These transactions do not involve any removal or
amendment of the transactions entered at the branch. Their intended purpose is to
allow Fujitsu to correct errors or bugs in Horizon by introducing a new transaction to
cancel out the effect of an error or bug on a branch’s transaction data. They may only
be conducted by a small number of specialists at Fujitsu and only then used in
accordance with specific authorisation requirements. They are rarely used. To the best
of Post Office’s information and belief, only one Balancing Transaction has ever been
effected, and this was not in a branch operated by a Claimant. A Balancing Transaction
(4) There are a small number of Fujitsu specialists who have certain privileged user access
rights which they could in theory use to amend or delete the transaction data for a
branch. The intended purpose of privileged user rights is system support, not the
alteration of branch transaction data. To have abused those rights so as to alter branch
transaction data and conceal that this has happened would be an extraordinarily
difficult thing to do, involving complex steps (including the writing of sophisticated
computer programmes and circumvention of sophisticated control measures) which
would require months of planning and an exceptional level of technical expertise
THOSE PEOPLE?)]. Post Office has never consented to the use of privileged user
rights to alter branch data and, to the best of its information and belief, these rights
have never been used for this purpose.
(5) Post Office cannot conceive of a reason why any Fujitsu personnel would have sought
to add, inject, amend or delete any transactions in any branch accounts so as to create a
false shortfall. Post Office would never consent to any of them making changes to
branch accounts to generate false shortfalls, it would for all practical purposes be
impossible for any of them to generate significant shortfalls without detection and,
even if they were able to do so, they would be unable to take the benefit of such
shortfalls for themselves.
4A_36289756_1 8
WBD_000362.000008
46.
41.
48.
WBONO000492
WBON0000492
As to paragraph 26, the statements referred to therein are admitted. These statements were
made in [WHAT YEARS?]. The Post Office representatives who were responsible for the
making of these statements believed that they were true.
As to paragraph 27, it is admitted that there was a highly theoretical possibility that certain
Fujitsu personnel could abuse their privileged user rights so as to delete or edit branch
transaction data as described in paragraph [XX] above.
Paragraph 28 is noted. The alleged inferences are inappropriate and each of them is denied.
Post Office made the above statements in the context of complaints made during a mediation
scheme it set up to investigate and address concerns about Horizon. Some of those
complaints raised questions, in several different formulations and contexts, about whether
transaction data had been edited by Post Office or Fujitsu. These investigations revealed no
evidence of transaction data having been so edited. For example, there was an unfounded
claim by a particular Subpostmaster that he had in August 2008 observed a Fujitsu worker
passing transactions directly into the Horizon system and altering the recorded foreign
currency holdings of branches. This was alleged to have taken place in a basement of
Fujitsu’s premises in Bracknell. Post Office ascertained that no remote access or altering of
branch data had been possible from that location, which only housed a test environment for
Horizon.
4A_36289756_1 9
WBD_000362.000009