WBON0001041
WBONO0001041
Confidential and subject to litigation privilege
Bond Dickingow
Rider: Remote Access
Section 5(B) — in relation to the factual allegation about remote access
11 The Letter of Claim makes a number of imprecise references to the idea that Horizon does not
accurately record branch transactions and that Post Office has concealed its ability to edit branch
data.’ We repeat our above points about the need for your clients to provide proper particulars of
these allegations if they are to be maintained.
1.2 There are a number of controls and processes in place to protect the integrity of data within
Horizon. These include:
1.2.1 Each basket of transactions must balance to zero (ie. the value of goods and services
vended much match the payments made / taken from the customer) otherwise the
basket will not be accepted by the counter terminal in branch. This ensures that only
complete baskets are recorded.
1.2.2 Counter transactions are committed atomically (ie. a transaction is either successful in
its entirety or it is not successful at all).
1.2.3 A unique Journal Sequence Number is applied to “digitally sign” every counter
transaction. This allows missing or duplicate transactions to be detected and
remedied.
1.2.4 Transactions data is stored in a central "audit store" which has controls to ensure the
permanency of data and a data retrieval process which validates data integrity.
1.3 During the Scheme, allegations about Post Office remotely accessing / editing branch data were
presented in many guises but always in vague terms. The different formulations of this allegation
that our client has seen are as follows:
1.3.1 Unrecognised transactions. Some postmasters alleged that transactions were being
conducted using a postmaster's user ID when a postmaster was not in the branch: the
inference being that Post Office must have been doing something untoward. On
investigation, it was found that there were no such transactions, that the postmaster
had in fact been conducting the transactions or that there had been password sharing
in the branch (ie. an assistant had been logging on as the postmaster and hence why
the postmaster could not recall the transactions conducted in their name).?
1.3.2 Remote access to terminals. It was alleged that Post Office had the ability to
"remotely access" a counter terminal in order to conduct transactions. This allegation
is understood to mean that a Post Office (or Fujitsu) employee could log on toa
terminal in a branch from a different location outside the branch. To be clear: this is
not possible.
1.3.3 Transaction data was generated or edited by Post Office / Fujitsu. The majority of
transactions that make up the branch accounts are generated in branch. A small
number of transactions are however generated by Post Office (such as transaction
corrections, balancing transactions, remittances of cash into a branch, etc.). There are
also a small number of users at Fujitsu who have special permissions to access and
edit, within strict controls, the core database tables that sit behind Horizon. These
processes may obviously affect branch accounts and, in some sense, could be
described as Post Office being able to edit branch records. However, some of these
processes are highly technical and rarely used (such as access to database tables)
1
2 See for example Spot Review 6.
4A_33436357_1 1
WBD_000911.000001
WBON0001041
WBONO0001041
and others (like transaction corrections) are everyday operational practices familiar to
many, if not all, postmasters.
1.3.4 "Global Users" altering branch accounts. Global Users are setup by default on
Horizon in every branch. These are user accounts for Post Office staff to use when
undertaking activity in a branch, such as training or audits. It is possible for these
Global Users to conduct transactions within a branch's accounts. However, this
access is only possible if the user is physically in the branch using a local terminal and
the transactions would be recorded against the Global User ID. This access could not
therefore be classed as "remote access" but could be seen, in a certain light, as an
example of Post Office having the ability to edit branch data.
1.4 Given this variety of issues, you need to be much more precise about what you are saying Post
Office is alleged to have done and why you believe that Post Office has allegedly misrepresented
the situation (including what was said, by whom, to whom, when and in what context, for each
individual Claimant).
1.5 Ultimately, no postmaster going through the Scheme was able to point to a particular transaction
that they believed had been remotely edited or deleted by Post Office. Second Sight similarly
could not find any evidence of this. Post Office maintains that the combination of technical
controls in Horizon and operational controls at Post Office and in branch (including the need for
postmasters to diligently monitor their branch accounts) provides satisfactory assurance that
Horizon does accurately record transactions.
Paragraph 8.5 — in relation to the allegation that Post Office concealed its remote access
capabilities and that therefore the limitation deadline should be extended
1.1
You assert four ways in which Post Office
allegedly concealed matters:
1.1.1 You say that Post Office investigators disregarded problems with Horizon — a point we
have addressed above. We cannot see how ignoring an issue amounts to a deliberate
act of concealing information from your clients. If anything, by ignoring an issue Post
Office would not have had the information in the first place in order to subsequently
conceal it.
1.1.2 You say helpline operators persistently said to postmasters that "they were the only
one". No evidence has been advanced which shows that this statement was ever
made. The idea that there was some form of massive conspiracy orchestrated by Post
Office to make all its helpline operators lie to postmasters using these exact words to
hide known problems is beyond ridiculous.
1.1.3 You say Post Office has acted obstructively in refusing to disclose certain information.
We have addressed Second Sight's particular requests for documents in Schedule 4
and this shows these requests were minor in the wider context. Against a background
where Post Office has handed over hundreds of thousands of documents to third
parties, including Second Sight and the CCRC, it is not sustainable to suggest that
Post Office has operated a system of mass suppression of documents. In any event,
we note Second Sight's views at the end of the Part Two Report:
3 Strictly speaking, the Global User ID is used to generate a new unique ID for the Post Office staff
member and the new ID would then be used for training, audits, etc.
4A_33436357_1 2
WBD_00091 1.000002
WBON0001041
WBONO0001041
"...we wish to place on record our appreciation for the hard work and
professionalism of Post Office's in-house team of investigators, working for
Angela Van Den Bogerd, Post Office's Head of Partnerships.
Our work would have been much harder and taken much longer without the high
quality work carried out by this team. We have also received excellent support
from the administrative team set up by Post Office to support the Working
Group." +
These comments make clear that Post Office has been anything but obstructive.
4 Paragraphs 26.5 and 26.6
5
4A_33436357_1
WBD_000911.000003