WBON0001672 - Rider: Remote Access Section 5(B) - Response to the factual allegation that Horizon does not record transaction accurately and/or that Post Office have been manipulating Horizon data

Evidence on official site

WBON0001672
WBON0001672

Confidential and subject to litigation privilege @

Rider: Remote Access

Section 5(B) — Response to the factual allegation that Horizon does not record transaction
accurately and /or that Post Office has been manipulating Horizon data.

11 The Letter of Claim makes a number of imprecise references to the idea that Horizon does not
accurately record branch transactions and / or that Post Office has edited branch transaction data
so to make it inaccurate. We repeat our above points about the need for your clients to provide
proper particulars of allegations if they are to be maintained, in particular you have not put
forward any evidence that Horizon has inaccurately recorded a transaction or that Post Office has
manipulated Horizon data in relation to any of the Claimants or otherwise.

1.2 There are a number of controls and processes in place to protect the integrity of data within
Horizon. These include:

1.2.1 Each basket of transactions must balance to zero (ie. the value of goods and services
vended much match the payments made / taken from the customer) otherwise the
basket will not be accepted by the counter terminal in branch. This ensures that only
complete baskets are recorded.

1.2.2 Counter transactions are committed atomically (ie. a transaction is either successful in
its entirety or it is not successful at all).

1.2.3 A unique Journal Sequence Number is applied to “digitally sign” every counter
transaction. This allows missing or duplicate transactions to be detected and
remedied.

1.2.4 A master record of transaction data is stored in a central “audit store" which has
controls to ensure the permanency of data and a data retrieval process which validates
data integrity.

1.3 The majority of transactions that make up the branch accounts are generated in branch. There
are however four ways in which Post Office (or Fujitsu on Post Office's instruction) can influence
those accounts:

1.3.1 Transactions originating at Post Office. A number of "transactions" are generated
by Post Office and sent to branches, namely transaction corrections, transaction
acknowledgements and remittances of cash / stock into a branch.” A key feature of
these transactions is that they must be approved in branch (by the postmaster or his
assistants) before they form part of the branch accounts.

1.3.2 Global Users. Global Users are setup by default on Horizon in every branch. These
are user accounts for Post Office staff to use when undertaking activity in a branch,
such as training or audits. It is possible for these Global Users to conduct transactions
within a branch's accounts. However, this access is only possible if the user is
physically in the branch using a local terminal and the transactions are recorded
against the Global User ID.°

1

2 See paragraph 7.16 onward in Second Sight's Part One Report for a more detailed explanation of these
processes.

3 Strictly speaking, the Global User ID should be used to generate a new unique ID for the Post Office
staff member and the new ID would then be used for training, audits, etc.

4A 33442637 240334426372 1

WBD_001542.000001
1.3.3

WBONO001672
WBON0001672

Balancing transactions. Fujitsu (not Post Office) has the capability to inject a new
"transaction" into a branch's accounts. This is called a balancing transaction.* The
balancing transaction was principally designed to allow errors caused by a technical
issue in Horizon to be corrected: an accounting or operational error would typically be
corrected by way of a transaction correction. A balancing transaction can add a
transaction to the branch's accounts but it cannot edit or delete other data in those
accounts. Balancing transactions only exist within Horizon Online (not the old version
of Horizon) and so have only been in use since around 2010.5 Their use is logged
within the system and is extremely rare. As far as Post Office is currently aware a
balancing transaction has only been used once to correct a single branch's accounts
(not being a branch operated by one of the Claimants).’

Adm

ter Aaccess to databases. Database and server access and edit permission

is provided, within strict controls (including logging user access), to a small, controlled
number of specialist Fujitsu (not Post Office) Jadministrators. Use-ofthese

Id J

ff

by ts if. hether-this-h

happened.— As far as we are currently aware, privileged administrator access has not
been used to alter branch transaction data. We are seeking further assurance from
Fujitsu on this point.

Ultimately, no postmaster going through the Scheme was able to point to a particular transaction
that they believed had been created, edited or deleted by Post Office without their consent.
Moreover, you have presented no evidence that misuse of any of the above processes by Post
Office was the cause of any shortfall in any Claimant's branch.

Post Office maintains that the combination of technical controls in Horizon and operational
controls at Post Office and in branch (including the need for postmasters to diligently monitor
their branch accounts, cash and stock as described in Schedule x) provides satisfactory
assurance that Horizon does accurately record the transactions input by the Claimants (or their
assistants).

4 The use of balancing transactions was explained to Second Sight and is referenced in its Part Two

Report at paragraph 14.16.

5 Post Office is making enquiries as to whether something akin to a balancing transaction existed in
Horizon before the upgrade in 2010.

6 This was in relation to one of the branches affected by the "Payments Mismatch" error described in
Schedule 6.
7 Several hundred other balancing transactions have been used but not in a manner that would affect
branch accounting. These were generally used to "unlock" a Stock Unit within a branch.

4A_33442637_2

WBD_001542.000002