WBONO0000852
WBON0000852
From: "Parsons, Andrew": GRO. i
To: Angela Van-Den-Bogerd } GRO H
Ce: Rodric Williams! GRO H
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Date: Fri, 9 May 2014 15:01:05 +0000
Importance: Normal
Inline-Images: image001 jpg; image002.jpg; image003.jpg; image004 jpg; image005.png;
image006.png; image007.png; image008.png; image009. gif; image010.gif;
image011.png; image012.png; image013.png; image014.png; image015.png
Angela
I spoken to Rodric. The interim answer to SS' question is:
. As requested at the WG meeting Post Office are asked to produce a formal certification that it is not
possible for anyone to access Horizon/HOL and amend transaction data without the knowledge of the
Subpostmaster or their staff.
“It is not clear what is meant by "formal certification" but enquiries have been made of senior personnel at
Fujitsu and in Post Office's IT team. There is no functionality in the Horizon system (through either a front-end
terminal or back-end server) to edit or delete transaction data once it has been transmitted from a branch to
the central branch data centre. The transmission of this data is encrypted, transferred to the branch data
centre and then stored in a separate audit server where they are sealed using industry standard secure
protocols to ensure the data's integrity. Although it is possible to input additional transactions into a branch's
accounts (eg. by way of say a transaction correction), a SPMR will always have visibility of these extra
transactions as they are shown separately in the branch's accounts. A more detailed note will follow on this
subject but this won't be ready before the Factfile needs to be submitted”.
Kind regards
Andy
Andrew Parsons
Senior Associate
for and on behalf of Bond Dickinson LLP
Direct:
Mobile:
Fax:
Follow Bond Dickinson:
Blin}
www.bonddickinson.com
From: Rodric Williams: GRO Hl
Sent: 09 May 2014 15:35"
To: Parsons, Andrew
Cc: Angela Van-Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Andy — pls give me a call.
Thanks, Rodric
Rodric Williams I Litigation Lawyer
148 Old Street, LONDON, EC1V 9HQ
WBD_000722.000001
WBONO0000852
WBON0000852
Post Office stories
@postofficenews
©O®O©GO
From: Parsons, Andrew: __
Sent: 09 May 2014 14:31
To: Rodric Williams
Cc: Angela Van-Den-Bogerd
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Rodric
Have you had a chance to look at the attached note? SS are now pushing for this answer so that they can build it into
the factfile so we need an answer asap.
The question posed by SS is:
. As requested at the WG meeting Post Office are asked to produce a formal certification that it is not
possible for anyone to access Horizon/HOL and amend transaction data without the knowledge of the
Subpostmaster or their staff.
I wonder if, as a holding response, we could say:
"It is not clear what is meant by "formal certification" but enquiries have been made of senior personnel at Fujitsu and
in Post Office's IT team. There is no functionality in the Horizon system (through either a front-end terminal or back-
end server) to edit or delete transaction data once it has been transmitted from a branch to the central branch data
centre. The transmission of this data is encrypted, transferred to the branch data centre and then stored in a separate
audit server where they are sealed using industry standard secure protocols to ensure the data's integrity. Although it
is possible to input additional transactions into a branch's accounts (eg. by way of say a transaction correction) but a
SPMR will always have visibility of these extra transactions as they are shown separately in the branch's accounts. A
more detailed note will follow on this subject but this won't be ready before the Factfile needs to be submitted".
Kind regards
Andy
Andrew Parsons
Senior Associate
for and on behalf of Bond Dickinson LLP
Follow Bond Dickinson:
Blin)
www.bonddickinson.com
From: Parsons, Andrew
Sent: 22 April 2014 15:42
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Rodric
First draft of the note attached — thoughts?
WBD_000722.000002
WBONO0000852
WBON0000852
I've intentionally not referred to the "Winn/Lusher" email as it distracts from what is otherwise a very clear picture.
I suggest that you, me and FJ get the attached doc near to final form before we escalate to Angela, Chris and Belinda
for approval. It is probably then best that this document is sent by Angela to SS.
My hope is that this will hopefully put this matter to bed with SS and we will not need to escalate to the WG. However,
we'll not know that answer until we see the SS thematic report.
A
Andrew Parsons
Senior Associate
for and on behalf of Bond Dickinson LLP
Direct: i
2. GRO
Fax: :
Follow Bond Dickinson:
Blin)
www.bonddickinson.com
From: Rodric Williams:
Sent: 22 April 2014 12:28
To: Parsons, Andrew
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Sounds good — thanks. Do we cc Tony/Working Group?
Rodric Williams I Litigation Lawyer
©O0BOOGO®
@postofficenews
From: Parsons, Andrew } GRO__
Sent: 22 April 2014 12:27
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege [BD-4A.FID20472253]
Rodric
I suggest that I draft this information into a formal response to go from POL to SS — do you agree?
Kind regards
Andy
Andrew Parsons
Senior Associate
for and on behalf of Bond Dickinson LLP
WBD_000722.000003
WBONO0000852
WBON0000852
Follow Bond Dickinson:
Blin)
www.bonddickinson.com
From: Rodric Williams! GRO 1
Sent: 22 April 2014 12:04
To: Parsons, Andrew
Subject: FW: Strictly Private & Confidential - Subject to Privilege
Andy — please see FJ response to the questions we put to them on the “Andy Winn/Alan Lusher email”.
Where does this take us?
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
148 Old Street, LONDON, EC1V 9HQ
Post Office Stories
@postofficenews
©OOGO®
From: Davidson Jame: GRO i
Sent: 17 April 2014 1
To: Rodric Williams
Cc: Harvey Michael; Newsome Pete
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
Please see Fujitsu’s response below.
Summary:
e There is no ability to delete or change records a branch creates in either old Horizon or Horizon online.
Transactions in both systems are created in a secure and auditable way to assure integrity, and have either
a checksum (Old Horizon) or a digital signature (Horizon Online), are time stamped, have a unique
sequential number and are securely stored via the core audit process in the audit vault
e Whilst a facility exists to ‘inject’ additional transactions in the event of a system error, these transactions
would have a signature that is unique, sub-postmaster id’s are not used and the audit log would house a
record of these. As above, this does not delete or amend original transactions but creates a new and
additional transactions
e — This facility is built into the system to enable corrections to be made if a system error / bug is identified
and the master database needs updating as a result, this is not a unique feature of Horizon
WBD_000722.000004
WBONO0000852
WBON0000852
e Approvals to ‘inject’ new transactions are governed by the change process, 2 factor authentications and a
“four eyes’ process. A unique identifier is created and can be audited for this type of transaction within
HNGxX, Horizon would require more extensive work to investigate as explained below.
1. Can Post Office change branch transaction data without a subpostmaster being aware of the change? No
2. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change? Once
created, branch transaction data cannot be changed, only additional data can be inserted. If this is
required, the additional transactions would be visible on the trading statements but would not require
acknowledgement / approval by a sub-postmaster, the approval is given by Post Office via the change
process. In response to a previous query Fujitsu checked last year when this was done on Horizon Online
and we found only one occurrence in March 2010 which was early in the pilot for Horizon Online and was
covered by an appropriate change request from Post Office and an auditable log. For Old Horizon, a
detailed examination of archived data would have to be undertaken to look into this across the lifetime of
use. This would be a significant and complex exercise to undertake and discussed previously with Post
Office but discounted as too costly and impractical.
3. If not, where is the evidence for this conclusion? See Answer 2
4, If so:
a)
b)
c)
d)
e)
How does this happen? See above
Why was this functionality built into the system design? To allow for data to be corrected if there
were any defects found in the system
Why would Fujitsu need to use this functionality? As above and under instructions from Post
Office Ltd.
What controls are in place to prevent the unauthorised use of this method of access? This is
achieved through a number of industry standard controls (RBAC, 2 factor authentication etc)
which are robustly audited under ISO 27001 / IAS 3402, Link, PCI.
When has branch data been accessed in this way in the past? See above
5. In relation to the Winn/Lusher email:
a)
b)
c)
d)
e)
f)
Regards,
James Davidson
Post Office
Fujitsu
What is "message store"?This is the repository (or database) where all transactions were written
to in the old Horizon system
Can this be used to access and change branch records? /t can be used to access the records. Data
cannot be changed, but new data could be inserted into it. Any such inserted data would be
tightly controlled by operational processes explained above.
What is the "impact" of this change on branch records? The impact would depend on exactly
what records were inserted.
Would the subpostmaster be aware of this change? Yes, via the trading statement but spm’s are
not required to approve the change, this is provided by Post Office.
Why would this method of access be used? To correct errors if a software defect is identified.
What controls are in place to prevent misuse of this method of access? As above.
WBD_000722.000005
Lf] CR gin
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
= Please consider the environment - do you really need to print this email?
From: Rodric Williams’, GRO
Sent: 17 April 2014 15:25
To: Davidson James
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Thanks James.
Rodric g: tion Lawyer
148 Old Street, LONDON, ECIV 9HQ
Post Office stor
@postofficenews
iS)
©
©
@
©
From: Davidson Jame:
Sent: 17 April 2014 14:02
To: Rodric Williams
Subject: RE: Strictly Private & Confidential - Subject to Privilege
Rodric,
WBONO0000852
WBON0000852
Just to update, I have a response in draft following a review the technical guys. I have passed this to legal for
review and expect this back this pm. Will advise as soon as I have the go ahead to release.
Regards,
James Davidson
Post Office
Fujitsu
Lovelace Road, Bracknell, RG12 8SN
oO «
Fujitsu is proud to partner with Shelter, the housing and homeless charity
Reshaping ICT, Reshaping Business in partnership with FT.com
= Please consider the environment - do you really need to print this email?
From: Rodric Williams:
Sent: 14 April 2014 1!
WBD_000722.000006
WBONO0000852
WBON0000852
To: Davidson James
Subject: Strictly Private & Confidential - Subject to Privilege
James,
Could Fujitsu please answer the questions below so that we can respond to a specific challenge put to us by
Second Sight in connection with a Mediation Scheme complaint, namely that:
"the Andy Winn/Alan Lusher email in the case of Ward [...] explicitly states that Fujitsu can remotely change the
figures in the branches without the SPMs’ knowledge or authority".
The Winn/Lusher email is attached. The part of the email in question is:
“Fujitsu have the ability to impact branch records via the message store but have extremely rigorous procedures in
place to prevent adjustments being made without prior authorisation - within POL and Fujitsu these controls form
the core of our court defence if we get to that stage.”
Questions:
6. Can Post Office change branch transaction data without a subpostmaster being aware of the change?
7. Can Fujitsu change branch transaction data without a subpostmaster being aware of the change?
8. If not, where is the evidence for this conclusion?
9. If so:
a) How does this happen?
b) Why was this functionality built into the system design?
c) Why would Fujitsu need to use this functionality?
d) What controls are in place to prevent the unauthorised use of this method of access?
e) When has branch data been accessed in this way in the past?
10. In relation to the Winn/Lusher email:
a) What is "message store"?
b) Can this be used to access and change branch records?
c) What is the "impact" of this change on branch records?
d) Would the subpostmaster be aware of this change?
e) Why would this method of access be used?
f) What controls are in place to prevent misuse of this method of access?
Please let me know if it would be easier to address these in a phone call in the first instance.
Kind regards, Rodric
Rodric Williams I Litigation Lawyer
148 Old Street, LONDON, EC1V 9HQ
©O0BOGO®
@postofficenews
WBD_000722.000007
WBONO0000852
WBON0000852
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited,
or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and
may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it
is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited, from Fujitsu (FTS) Limited,
or from Fujitsu Telecommunications Europe Limited, together "Fujitsu".
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and
may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it
is virus-free.
Fujitsu Services Limited, registered in England No 96056, registered office 22 Baker Street, London W1U
3BW.
Fujitsu (FTS) Limited, registered in England No 03808613, registered office 22 Baker Street, London W1U.
3BW.
PFU Imaging Solutions Europe Limited, registered in England No 1578652, registered office Hayes Park
Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
WBD_000722.000008
WBONO0000852
WBON0000852
Fujitsu Telecommunications Europe Limited, registered in England No 2548187, registered office Solihull
Parkway, Birmingham Business Park, Birmingham, B37 7YU.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
Please consider the environment! Do you need to print this email?
The information in this e-mail and any attachments is confidential and may be legally privileged and protected by law. god aly is authorised to
access this e-mail and any attachments. If you are not rodric. williams GRO} please notify andrew.parson¢ ‘GRO Tas soon as possible and delete any
copies. Unauthorised use, dissemination, distribution, publication or COpyig OF is Communication or attachments is Prohibited and’ Way Be unlawful
Any files attached to this e-mail will have been checked by us with virus detection software before transmission, Bond Dickinson LLP accepts no liability for any loss or
damage which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content ofthis email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it
This email is sent for and on behalf of Bond Dickinson LLP which is a limited liability partnership 1 1nd and Wales under number 0C317661. Our registered
office is St Ann’s Wharf, 112 Quayside, Neweastle Upon Tyne, NEI 3DX, where alist of members’ names is pection. We use the term partner to refer to.a member
of the LLP, or an employee or consultant who is of equivalent standing. Our VAT registration number is GBI2:
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.
WBD_000722.000009