WBON0001044
WBON0001044
Confidential and subject to litigation privilege @
Rider: Remote Access
Section 5(B) — in relation to the factual allegation about remote access
11 The Letter of Claim makes a number of imprecise references to the idea that Horizon does not
accurately record branch transactions or that Post Office has to edited branch transaction data so
to make it inaccurate.' We repeat our above points about the need for your clients to provide
proper particulars of these allegations if they are to be maintained.
1.2 There are a number of controls and processes in place to protect the integrity of data within
Horizon. These include:
1.2.1 Each basket of transactions must balance to zero (ie. the value of goods and services
vended much match the payments made / taken from the customer) otherwise the
basket will not be accepted by the counter terminal in branch. This ensures that only
complete baskets are recorded.
1.2.2 Counter transactions are committed atomically (ie. a transaction is either successful in
its entirety or it is not successful at all).
1.2.3 A unique Journal Sequence Number is applied to “digitally sign” every counter
transaction. This allows missing or duplicate transactions to be detected and
remedied.
1.2.4 Transaction data is stored in a central "audit store" which has controls to ensure the
permanency of data and a data retrieval process which validates data integrity.
1.3 The majority of transactions that make up the branch accounts are generated in branch. There
are however four ways in which Post Office (or Fujitsu on Post Office's instruction) can influence
those accounts:
1.3.1 Transactions originating at Post Office. A small number of "transactions" are
generated by Post Office and sent to branches, namely transaction corrections,
transaction acknowledgements and remittances of cash / stock into a branch.? The
key control over these transactions is that they must be approved in branch (by the
postmaster or his assistants) before they form part of the branch accounts. These
types of transactions are used on a daily basis and are known to all postmasters.
1.3.2 Global Users. Global Users are setup by default on Horizon in every branch. These
are user accounts for Post Office staff to use when undertaking activity in a branch,
such as training or audits. It is possible for these Global Users to conduct transactions
within a branch's accounts. However, this access is only possible if the user is
physically in the branch using a local terminal and the transactions would be recorded
against the Global User ID.*
1.3.3 Balancing transactions. Fujitsu (not Post Office) has the capability to inject a new
"transaction" into a branch's accounts. This is called a balancing transaction.4 The
balancing transaction was principally designed to correct any errors caused by a
technical issue in Horizon: an accounting or operational error would typically be
corrected by way of a transaction correction. A balancing transaction can add a
1
2 See paragraph 7.16 onward in Second Sight's Part One Report for a more detailed explanation of these
processes.
3 Strictly speaking, the Global User ID should be used to generate a new unique ID for the Post Office
staff member and the new ID would then be used for training, audits, etc.
4 The use of balancing transactions was explained to Second Sight and is referenced in its Part Two
Report at paragraph 14.16.
4A_33436357_1 1
WBD_000914.000001
WBON0001044
WBON0001044
transaction to the branch's accounts but it cannot edit or delete other data in those
accounts. Balancing Transactions only exist within Horizon Online (not Old Horizon)
and so have only been in use since around 2010. Their use is logged within the
system. As far as Post Office is aware a balancing transaction has only been used
once’ to correct a single branch's accounts.® This was not a Claimant's branch.
1.3.4 Access to databases. There are a small number of persons at Fujitsu (not Post
Office) who have special permissions to access and edit, within strict controls, the core
databases that sit behind Horizon. Use of these permissions is logged and so it is.
believed that there would be an audit trail of any activity undertaken using these
permissions. Enquiries are continuing as to whether this access could be used to
affect a branch's accounts but we currently understand that, even if this is possible, it
would be a difficult and time consuming process. Moreover, given the above methods
open to Post Office to deal with errors in a branch's accounts, the use of this access to
amend a branch's accounts would be extremely rare — indeed, Post Office is making
enquiries as to whether it has ever happened.
1.4 During the Scheme, it was alleged that Post Office had the ability to "remotely access" Horizon in
order to conduct transactions. This allegation is understood to mean that a Post Office (or
Fujitsu) employee could log on to a terminal in a branch from a different location outside the
branch and conduct customer transactions. To be clear: this is not possible.
1.5 Ultimately, no postmaster going through the Scheme was able to point to a particular transaction
that they believed had been created, edited or deleted by Post Office without their consent.
Second Sight similarly could not find any evidence of this. Finally, you have presented no
evidence that mis-use of any of the above processes by Post Office was the cause of a shortfall
in a Claimant's branch.
1.6 Post Office maintains that the combination of technical controls in Horizon and operational
controls at Post Office and in branch (including the need for postmasters to diligently monitor
their branch accounts) provides satisfactory assurance that Horizon does accurately record the
transactions input by the Claimants (or their assistants).
Paragraph 8.5 — in relation to the allegation that Post Office concealed its remote access
capabilities and that therefore the limitation deadline should be extended
14
You assert four ways in which Post Office
allegedly concealed matters:
1.1.1 You say that Post Office's investigators disregarded problems with Horizon — a point
we have addressed above. We cannot see how ignoring an issue amounts to a
deliberate act of concealing information from your clients. If anything, by ignoring an
issue Post Office would not have had the information in the first place in order to
subsequently conceal it.
1.1.2 You say helpline operators persistently said to postmasters that "they were the only
one". No evidence has been advanced which shows that this statement was ever
made. The idea that there was some form of massive conspiracy orchestrated by Post
5 Several hundred other balancing transactions have been used but not in a manner that would affect
branch accounting. These were generally used to "unlock" a Stock Unit within a branch.
© This was in relation to one of the branches affected by the "Payments Mismatch” error described in
Schedule 6.
4A_33436357_1 2
WBD_000914.000002
WBON0001044
WBON0001044
Office to make all its helpline operators lie to postmasters using these exact words to
hide known problems is beyond ridiculous.
1.1.3 You say Post Office has acted obstructively in refusing to disclose certain information.
We have addressed Second Sight's particular requests for documents in Schedule 4
and this shows these requests were minor in the wider context. Against a background
where Post Office has handed over hundreds of thousands of documents to third
parties, including Second Sight and the CCRC, it is not sustainable to suggest that
Post Office has operated a system of mass suppression of documents. In any event,
we note Second Sight's views at the end of the Part Two Report:
"...we wish to place on record our appreciation for the hard work and
professionalism of Post Office’s in-house team of investigators, working for
Angela Van Den Bogerd, Post Office's Head of Partnerships.
Our work would have been much harder and taken much longer without the high
quality work carried out by this team. We have also received excellent support
from the administrative team set up by Post Office to support the Working
Group."7
These comments make clear that Post Office has been anything but obstructive.
i
7 Paragraphs 26.5 and 26.6
® Add XREF to Remote Access section
4A_33436357_1
WBD_000914.000003