WITNO00460400
WITNO00460400
Witness Name: GARETH IDRIS JENKINS
Statement No.: WITN00460400
Dated: 29 APRIL 2024
POST OFFICE HORIZON IT INQUIRY
FOURTH WITNESS STATEMENT OF GARETH IDRIS JENKINS
I, Gareth Idris Jenkins, will say as follows:
1. I make this fourth witness statement in response to a request dated 4 August
2023 made under Rule 9(2) of the Inquiry Rules 2006 regarding phases 3, 4
and 5 of the Post Office Horizon IT Inquiry (“the Rule 9(2) Request’).
2. The Rule 9(2) Request asked me 229 questions about phases 3, 4 and 5 of
the Inquiry. On 21 March 2024, I provided a third witness statement to the
Inquiry [WITN00460300], which addressed the phase 3 and 4 questions in the
Rule 9(2) Request (questions 1-196). This fourth witness statement addresses
the phase 5 questions in the Rule 9(2) Request (questions 197-229).
3. At the time of signing this statement, I understand that POL may still be in the
process of providing to the Inquiry a significant number of documents relevant
to phase 5 and that the Inquiry’s process of disclosure in Phase 5 is ongoing.
There are gaps which I have not been able to address and which I highlight
below. I have seen an important handwritten note originating from POL (which
I address below) but my lawyers tell me that otherwise there are very few notes
(handwritten or otherwise) of internal meetings. If further documents come to
Page 1 of 101
WITNO00460400
WITNO00460400
light between signing this statement and giving my evidence to the Inquiry, I
may need to expand upon what I have said in this statement. I have done my
best with the available documents and to indicate what I think may be missing.
As before, I have waived my rights in relation to the questions asked in the
Rule 9(2) Request. I understand that I still have rights in relation to any oral
evidence that I give and that this is a matter which the Chair will set out, at the
start, when I appear before the Inquiry.
Second Sight
Rule 9(2) Request questions 197-202
4. The Rule 9(2) Request has asked me a number of questions about Second
Sight and has referred me to one document, which is the witness statement
of lan Henderson dated 28 September 2018 [POL00091426].
5. 1 don't have a great deal of recall about the detail of the Second Sight
investigation but I have used what I do remember and the available documents
to answer the Inquiry’s questions as best I can. Based on those documents, I
believe that the main period of my involvement with Second Sight lasted from
approximately July 2012 to July 2013, which I understand to be the period of
Second Sight’s ‘Spot Reviews’. I don’t believe I had as much involvement with
Second Sight after July 2013, when I understand that the Spot Reviews
became subsumed into the Mediation Scheme.
6. I cannot pin down exactly when I first became aware that POL had engaged
Second Sight. It was probably at some point in the middle of 2012. I
understood that the scope of their work was agreed by senior people within
POL. I do not know why POL chose to appoint Second Sight over anyone else.
7. My lawyers have shown me a note made by Penny Thomas of a telephone
call I participated in on 27 July 2012 with lan Henderson [FUJ00232048]. I
must have known by this point that Mr Henderson was from Second Sight. I
believe this was the first occasion upon which I spoke to Mr Henderson or
Page 2 of 101
10.
11.
WITNO00460400
WITNO00460400
anyone else from Second Sight. Also present on the call were Jane Owens
and Simon Baker. I knew that Jane Owens worked in the security department
of POL and I understood that Simon Baker was a commercial manager at
POL. Mr Baker subsequently became one of POL’s main ‘interfaces’ with
Second Sight.
Penny's note begins with the explanation that POL had commissioned
“Advanced Forensics” (I believe this was another name for Second Sight) to
undertake an “independent review” of the Horizon system; that they would be
reviewing between 10 and 20 cases; and that they would require access to
data from Legacy Horizon and Horizon Online. Penny's note records that I
explained the different audit records which could be made available to Second
Sight and that I proposed a “workshop” to discuss the Horizon system
architecture. I felt that having a constructive dialogue with Second Sight would
be the best way forward. The note records that POL and Mr Henderson agreed
that my idea of a “workshop” was a good one.
Looking at the note, the purpose of the call on 27 July 2012 seems to have
been to enable Fujitsu to understand what Second Sight wanted and so that I
could outline what data and technical assistance Fujitsu could provide. As
Penny's note indicates, this work would require commercial discussions
between POL and Fujitsu.
I regarded POL’s appointment of Second Sight as a good thing. I believed that
an independent review would conclude that Horizon was sound but might also
provide recommendations for improvements (something which I would also
have welcomed). I also understood the need for an independent review of
Horizon given the criticisms of it in the media. I was willing to offer Second
Sight whatever technical assistance I could but I had no authority to make any
decisions regarding their access to systems or data.
The Inquiry has asked what views my colleagues at Fujitsu had concerning
Second Sight’s appointment. I don’t remember that anyone opposed it or was
particularly concerned by it.
Page 3 of 101
WITNO00460400
WITNO00460400
12. The Inquiry has asked whether I received any briefing or instructions (whether
from POL or Fujitsu) about how to deal with Second Sight. I don’t think I did
although I can’t discount the possibility. My lawyers have been unable to find
any briefings or instructions, or any other internal Fujitsu or POL discussions
about this, on the Inquiry’s database. I would have understood that whatever
I said to Second Sight about Horizon might end up being published in their
reports. I felt it was important to take a constructive approach with Second
Sight. I would not have regarded any Horizon topic as ‘off limits’.
13. As noted at paragraph 540 of my third witness statement to this Inquiry
[WITN00460300], Fujitsu had considered commissioning an audit of Horizon
Online (by KPMG) and had mapped out its proposed scope in late 2011 and
the first half of 2012. My understanding is that this KPMG audit was shelved
because Fujitsu were informed that POL had commissioned a review from
Second Sight. However, I think I may only know this as a result of reading
material for the purposes of this Inquiry. For example, I can see from
[FUJ00156909] that Michael Harvey of Fujitsu referred (in an email to Rodric
Williams of POL) to the proposed KPMG audit being “subsumed” by the
Second Sight investigation.
14. From my perspective, the proposed KPMG audit was different from the
Second Sight review in terms of its approach. I had understood that the KPMG
audit would focus on the integrity of the audit trail in Horizon Online. It would
do this by examining selected components of the Horizon Online system.
Second Sight’s approach would be to select case studies that responded to
different issues raised by SPMs about Legacy Horizon and Horizon Online.
This would include issues which SPMs encountered with POL’s business
processes and back-end systems.
15. It was not my decision not to proceed with the KPMG audit. This decision —
and the extent to which the Second Sight review played a part in that decision
— was taken by senior Fujitsu management.
Page 4 of 101
WITNO00460400
WITNO00460400
Meeting lan Henderson on 13 September 2012
16. The Inquiry has asked me questions about the witness statement of lan
Henderson dated 28 September 2018 [POL00091426], specifically my
recollection of what Mr Henderson says at paragraphs 2.2 and 2.4. These
paragraphs describe my meeting with him at Fujitsu’s offices in Bracknell on
13 September 2012 and some documents I sent him afterwards. This meeting
on 13 September 2012 was the “workshop” I had proposed in the call with Mr
Henderson on 27 July 2012.
17. I have seen an email chain setting up the meeting with Mr Henderson on 13
September 2012 [POL00117936]. On 4 September 2012, I asked whether any
advance preparation was required for the meeting. This prompted a response
from Mr Henderson clarifying that he wanted the workshop to include a briefing
about Legacy Horizon and Horizon Online, and that he wanted to receive
sample copies of specific types of Horizon data. He explained that he wanted
to develop the ability to analyse the raw data himself.
18. I have a general memory of the meeting on 13 September 2012 but not the
detail of it. My memory is that the meeting was split into two parts. The first
part was an introductory session with Mr Henderson as part of a larger group.
I believe (but I cannot be completely certain) that Simon Baker of POL and
Pete Newsome of Fujitsu attended. It is possible that others were also present
but I don’t remember who they were. Then I had a one-to-one session (the
workshop) with Mr Henderson alone in which I explained how to interpret the
audit logs generated by Legacy Horizon and Horizon Online using some
samples I had prepared beforehand (as Mr Henderson had requested in his
email of 5 September 2012).
19. From memory, the meeting on 13 September 2012 was the only occasion I
met Mr Henderson (or anyone else from Second Sight) in person. In general
terms I understood that the work I did for Second Sight needed to be
Page 5 of 101
20.
21.
22.
23.
WITNO00460400
WITNO00460400
communicated through POL and its lawyers, who in turn dealt directly with
Second Sight.
I note that, in paragraph 2.2 of his witness statement dated 28 September
2018 [POL00091426], Mr Henderson says that he believed that I was the
“Fujitsu lead engineer on the POL contract”. This belief is not quite right. I was
one of a number of senior engineers on the POL contract but I was not the
lead one. As I have set out previously, there was a series of lead architects on
Horizon over time, but I was never the lead architect.
My memory of precisely what I said to Mr Henderson at the meeting on 13
September 2012 — in terms of the actual words I used — is unclear. I was not
taking notes and I don’t recall whether anyone else was.
At paragraph 2.2 of his witness statement dated 28 September 2018
[POL00091426], Mr Henderson says that, during this meeting, I confirmed that
Fujitsu’s “capability” to remotely access branch terminals “existed and was
occasionally used to troubleshoot problems in branch.” I have no reason to
doubt that we discussed remote access, i.e. Fujitsu’s ability to access and
inject messages into live Horizon data. I also have no reason to doubt that I
would have said something to the effect that Fujitsu used remote access
“occasionally.” That would have reflected my understanding in 2012 that
Fujitsu’s use of remote access was very rare. That remains my understanding.
I would not have considered that I was disclosing anything sensitive by telling
Mr Henderson about remote access. As the Inquiry knows, a form of remote
access by Fujitsu was one of the (discarded) options considered by POL in
September/October 2010 for correcting the effect of the Receipts and
Payments Mismatch bug [FUJ00083353]. I had mentioned Fujitsu's use of
remote access in a witness statement I signed in the case of R v Wylie on 27
November 2012 (see [POL00097216] and [POL00133644)). I understood that
POL knew about Fujitsu's ability to access and inject transactions into live
Horizon data. I will expand on these issues later in this statement.
Page 6 of 101
WITNO00460400
WITNO00460400
24. At paragraph 2.4 of his statement dated 28 September 2018, Mr Henderson
explains that I sent him certain data after the meeting on 13 September 2012:
“My view was that the key to understanding transactions within the
Horizon system was to be provided with access to the raw transaction
data, known as XML reports. Mr Jenkins provided me with some sample
XML data shortly after our meeting on 13 September 2012 and I was
subsequently able to “reverse engineer” this data and see a level of
detail that was not made available to sub-postmasters or to POL.”
25. I believe this is a reference to an email I sent to lan Henderson on 14
September 2012 [POL00117936], which attached a Zip file containing 11
documents. The first of these documents was a briefing entitled “Info for lan”
[FUJ00123862]. Section 2 of this briefing gave an overview of the other 10
documents: the subsections of section 2 provided more information about
three of these documents and how they could be used. Section 3 provided
information to assist in the interpretation of the value used in the “Entry Mode”
attribute of transaction data. This was material which I hoped would provide
Mr Henderson with an insight into the mechanics of Horizon and an
understanding of how to interpret the raw data (as he had requested).
26. In paragraph 2.4 of his witness statement dated 28 September 2018
[POL00091426], Mr Henderson says that he “reverse engineered” the data I
sent him to see “a level of detail that was not made available to sub-
postmasters or to POL.” I don’t know exactly what Mr Henderson means by
“reverse engineering” but I assume he is referring to analysing the raw data.
27. \n the months after the workshop with Mr Henderson on 13 September 2012
(and my email to him on 14 September 2012), it would appear from the
documents I have been shown recently that I had a few conference calls either
with him or Ron Warmington, who I understood was Mr Henderson’s main
colleague and co-investigator at Second Sight. My recollection is that these
calls were always organised by POL and that I did not speak to Mr Henderson
or Mr Warmington without someone from POL present. I cannot now
Page 7 of 101
WITNO00460400
WITNO00460400
remember how many of these calls I participated in or the details of what we
discussed beyond what is recorded in the emails (see, for example, the note
of the call on 25 March 2013 recorded in the email at [POL00097915)).
28. Irecall suggesting that POL should provide information to Second Sight about
the Receipts and Payments Mismatch bug. However, I cannot recall why this
suggestion came from me when POL already had detailed information about
this bug and had decided how it should be responded to in terms of how to
correct the accounts of affected branches. I also recall that I provided
information about the Suspense Account bug to POL so that they could
consider whether to pass it to Second Sight, although I cannot now recall the
exact circumstances of this.
The Spot Reviews
29. The Inquiry has asked me to what extent I contributed to Second Sight’s Spot
Reviews, and to describe the nature and extent of my input.
30. I was a member of the group set up by POL to review and respond to Second
Sight’s Spot Reviews. This did not mean I was involved in all Spot Reviews. I
understood that the Spot Reviews were intended to be investigations by
Second Sight into specific complaints raised by particular SPMs. I had no
involvement in selecting these complaints. I cannot be certain how many Spot
Reviews were investigated in total but I believe there may have been up to 30.
Again, I don’t recall having any direct contact with Second Sight about any of
the Spot Reviews. I provided technical analysis to POL for some of the Spot
Reviews in response to questions that I understood Second Sight had asked
POL. In general terms I did this by analysing the data for the particular branch
and providing to POL my understanding of what the data showed (an
exception to this is Spot Review 5, which did not involve any data analysis,
and which I address below). I understood that any analysis I undertook for
POL for the Spot Reviews was being provided indirectly to Second Sight
having first been considered by POL and its lawyers. But I also understood
Page 8 of 101
WITNO00460400
WITNO00460400
that Second Sight were being provided with the same raw data that I analysed
so that they could carry out their independent analysis (and verify mine).
31. In terms of the amount of input I had, this varied considerably from one Spot
Review to the next. There are, at the time of preparing this statement, gaps in
the disclosure in relation to the Spot Reviews and I cannot therefore be
definitive about the extent of my involvement. In summary, however, I believe
that I produced the first draft of the response for Spot Review 1. I believe that
I reviewed the draft responses for Spot Reviews 11, 12, 13 and 22. I believe
that I gave input on some others (such as Spot Reviews 5, 6, 10, 21 and 23).
For a number of Spot Reviews, I don’t believe I had any involvement at all.
32. The Inquiry has not asked me to address the facts of any specific Spot Review.
However, I can see that Second Sight reached conclusions about four Spot
Reviews in its interim report of 8 July 2013 [POL00029744]. These were Spot
Reviews 1, 5, 21 and 22. After this report, as I understand it, the Spot Reviews
were subsumed into the Mediation Scheme and my involvement in Second
Sight’s work dropped away. I will address these four Spot Reviews as they
appear to be the only ones which actually came to any conclusion. If there are
additional Spot Reviews the Inquiry would like me to address, I would be
willing to do that.
33. Of these four Spot Reviews, 21 and 22 related to POL processes and I can’t
add to the contemporaneous documents. However, I can address Spot
Reviews 1 and 5 in more detail.
Spot Review 1
34. Spot Review 1 (also known as SRO01) concerned Mr John Armstrong, who
was the SPM at Lepton branch. Paragraph 205 of my second witness
statement to the Inquiry [WITN00460200] summarised my response to the
issue which Mr Armstrong had raised through Helen Rose in 2012. In this
Page 9 of 101
35.
36.
37.
WITNO00460400
WITNO00460400
witness statement, I will expand upon this response by reference to the
contemporaneous documents.
[POL00040888] set out Mr Armstrong’s account, which related to an online
payment which had failed on 4 October 2012. The essence of his account was
that Horizon Online had reversed this transaction automatically without his
involvement and without notifying him. Simon Baker from POL emailed me
(and others) Mr Armstrong's account on 19 March 2013 [POL00097672],
forwarding an email from lan Henderson which explained that:
“The main issue in SROO1 is the automated and largely silent recovery
process which occurs when Horizon detects either a power or a
communication failure. Can you ask Fujitsu to provide us with a clear
written description, including flowcharts, of how this is designed to
operate for both old and new Horizon?”
I can see that, later the same day (19 March 2013), there was an internal
debate within POL about whether I should “lead” the response to SROO1 or
whether it should be handled in-house [POL00097729]. I wasn’t aware of this
debate at the time. I note that lvan Swepson from POL’s ‘IT Separation
Programme Office’ queried this and asked “/s there no one in-house with
knowledge of Horizon requirements?” Simon Baker replied that there was but
that he did not have an issue with Fujitsu writing the response, noting that POL
would oversee it. I can see that the next day (20 March 2013), POL notified
me that I should lead the response [POL00097745]. I said it would take me
about a week to draft the response and suggested that POL might wish to
send Second Sight the Fujitsu design document concerning recoveries in
Horizon Online. I do not know whether they did this.
On 26 March 2013, I emailed Andy Winn at POL a first draft in response to a
request from him [POL00097845]. I believe that [POL00130133] is a copy of
this first draft. My covering email noted that the draft was subject to legal and
commercial review within Fujitsu.
Page 10 of 101
38.
39.
40.
WITNO00460400
WITNO00460400
My draft states that I had obtained the raw logs (i.e. the audit data) for Lepton
branch. I noted that these raw logs had also been provided to Second Sight.
This was the first occasion on which I had reviewed the raw logs for Lepton
branch. Several months earlier, Helen Rose had asked me some questions
about the branch (I addressed this at paragraph 205 of my second witness
statement to the Inquiry [WITN00460200)). At that earlier stage, I had looked
at the transaction data, not the raw logs. When responding to SROO1 I
reviewed the raw logs. This did not change my understanding of what had
happened at the branch but it enabled me to give a more detailed explanation.
My overall conclusion, after reviewing the raw logs, was that I agreed with Mr
Armstrong that the reversal of the transaction in question (the payment of a
BT bill for £76.09 in session 537803) had been system generated but
concluded that, before the reversal took place, Horizon had sent repeated
notifications which made it clear that there had been a failure to connect to the
data centre (that is, this bill could not have been paid because of this
connection failure).
Horizon made four attempts in total to process the customer session
containing the transaction, each of which lasted 40 seconds, and each of
which failed as a result of communications problems (i.e. glitches in the
connection). The first attempt was initiated by Mr Armstrong. When that failed,
Horizon automatically made a second attempt. When that failed, the counter
screen displayed a message stating that there had been a failure to connect
to the Data Centre. The screen gave Mr Armstrong the option of “Retry” or
“Cancel”. Mr Armstrong pressed “Retry”, which initiated the third attempt to
process the transaction. When that failed, Horizon automatically made a fourth
attempt. When that failed, the screen again displayed a message stating that
there had been a failure to connect to the Data Centre. The screen again gave
Mr Armstrong the same option of “Retry” or “Cancel”. Mr Armstrong pressed
“Cancel”. At that point, the counter printed out three identical hard copy
disconnect session receipts (one for the customer, one for branch records and
one to attach to the counter to aid with recovery). These receipts ascribed a
zero value to the BT bill payment and stated that there had been a failure to
Page 11 of 101
41.
42.
WITNO00460400
WITNO00460400
connect to the Data Centre. Horizon then automatically logged Mr Armstrong
out.
Horizon had therefore sent notifications in the form of two sets of screen
messages and three hard-copy receipts that made it clear that there had been
no connection to the data centre (i.e. so the BT bill had not been paid). The
bill should only have been treated as paid when Horizon notified the SPM —
through an AP receipt — that the session had successfully settled (which, in
this case, it never did). In addition to printing the three disconnect session
receipts, Horizon later printed a recovery receipt when Mr Armstrong was able
to log on again, confirming that the failed transaction had been reversed (i.e.
not processed). These steps indicated that Horizon had worked as it was
designed to do. This was also the conclusion of Second Sight. Plainly the
Horizon system (like any payment system) needed to have procedures for
when a payment or a transaction did not go through, or where it was unclear
as to whether or not it had been processed successfully.
What I have described above represented a change in process from Legacy
Horizon to Horizon Online. POL was obviously well aware of this but there
may be a question as to whether it properly trained SPMs about this change.
Communications failures which then led to reversals of failed transactions, like
the one seen here, were not a common occurrence. I can imagine that Mr
Armstrong may not have been familiar with what Horizon Online was telling
him to do and may not have been aware that Horizon Online, in these
circumstances, assumed that the BT bill payment had not been processed.
No doubt it was difficult keeping a customer waiting for several minutes for the
session to complete (or in this case fail), particularly if the branch was busy
with other customers at the time. However, the three disconnect session
receipts did show that no money had been taken for payment of the BT bill
and that the full amount of cash was to be returned to the customer. The
recovery receipt also informed Mr Armstrong that £76.09 was due to the
customer, meaning that the payment of the BT bill had been reversed. The
recovery receipt did not state that this transaction had been automatically
reversed by Horizon (as opposed to Mr Armstrong initiating the reversal). This
Page 12 of 101
43.
44.
45.
WITNO00460400
WITNO00460400
could have been confusing, particularly if the meaning of the screen messages
and receipts had not been addressed in POL’s training for SPMs on Horizon
Online.
On 2 April 2013, I notified POL that the SSC at Fujitsu would be happy to run
a workshop with Second Sight concerning system-generated recoveries
[POL00097915]. I thought it might be helpful to Second Sight’s work on SROO1
(and more generally) to have a face-to-face training session with members of
the SSC (at which I would probably be present). This would have allowed for
discussion and to enable any technical questions to be answered. My email
noted that I hadn't raised the idea directly with Second Sight and wanted to
run it past POL first. I don’t know whether this session took place but I don’t
recall participating in one. It was a matter for POL what sort of support and
assistance it wanted Fujitsu to provide to Second Sight.
Later the same day (2 April 2013), I received an email from Simon Baker,
informing me (and others) that the responses to four Spot Reviews (including
SR001) did not “drive home our message in a compelling way — that would
persuade MPs or media or members of the public that there are no issues
(and it looks like there aren't)” [POLO0097917]. I don’t believe that I had
approached any of the Spot Reviews on the understanding that POL wanted
to convey any sort of “message.” In relation to SROO1, for example, I had
provided a technical explanation of what the underlying data for Lepton branch
showed. In this email Mr Baker suggested that he might convene a workshop
with POL’s lawyers and ask them to put the responses to the Spot Reviews
together.
It appears that POL did then involve lawyers in drafting the responses to the
four Spot Reviews. On 19 April 2013, I received an email from Andy Parsons
of Bond Pearce, who was one of POL’s external lawyers, attaching re-drafted
versions of the four Spot Reviews (including SROO1) [POL00098035]. The
covering email noted that this re-redrafted version of SROO1 was ‘largely as
per Gareth’s first draft” and described the three key changes he had made.
Whilst I cannot be sure, I believe that the relevant attachment to this email
Page 13 of 101
46.
47.
48.
WITNO00460400
WITNO00460400
may be [POL00098043], which is described as “version 2” of POL’s response
to SROO1.
My lawyers have shown me [POL00130164], which appears to show in track
changes the amendments made by POL/Bond Pearce to my first draft when
they produced their “version 2”. The track changes indicate that the executive
summary (section 1) was their work and not mine. It can also be seen that
they added new paragraphs to my draft (such as paragraph 9 in section 4).
On 22 April 2013, I made some comments on “version 2” of the response and
emailed them to Mr Parsons [POL00098053], but as my lawyers cannot find
the attachment to this email on the Inquiry’s database, I am unable to explain
what I amended or why.
On 18 June 2013, POL contacted me to say that Mr Armstrong had queried
the response because he believed that he had not acknowledged the failure
of the BT bill to be paid [POLO0098604]. In response, I explained that where,
as here, a communications failure had occurred when trying to settle a basket,
messages would be shown on the counter screen informing the SPM of the
loss of connection to the data centre. I explained that these screen messages
had been shown twice at Lepton branch for this particular transaction. On the
first occasion, Mr Armstrong had pressed “Retry” and on the second occasion
he had pressed “Cancel”. By pressing these options, Mr Armstrong had
acknowledged (on two occasions) the fact that the session had not been
completed successfully. I also explained that the counter had then printed out
three disconnect session receipts that stated that there had been a
communications failure and showed a zero value for the BT receipt, thus
indicating that it had not been paid. It seems that, after receiving this
clarification from me (via POL), Mr Armstrong found the three disconnect
session receipts in his records (which he had not located previously): see his
email to Ron Warmington of 25 June 2013 at [POL00002239]. The receipts
set out on page 4 of that email chain demonstrate that the full £80 cash
withdrawal should have been provided to the customer and that the value of
the BT bill was nil (i.e. not paid).
Page 14 of 101
WITNO00460400
WITNO00460400
49. Second Sight made findings about POL’s response to SRO01 in their interim
report dated 8 July 2013 [POL00029744], which I address below.
50. Before leaving this point, I should make clear that when I dealt with Helen
Rose in relation to the Lepton branch in February 2013, I had explained to her
that it would be relatively simple to add an extra column into the existing ARQ
report spreadsheet, so that it would be clear whether the Reversal Basket was
generated by Recovery or not [POL00134138].
51. I also note that an email on 22 October 2014 (which I do not think I saw at the
time) sent by James Davidson of Fujitsu, in which he set out the parameters
of what the standard ARQ data sent to POL demonstrated, explained to a
number of individuals within POL [POL00091397]:
“This does not provide all of the data held, it only provides what Post
Office has said that it wants to see in an ARQ record, we have
recommended on several occasions that this is reviewed to make sure
it continues to give you what you need in the circumstances.”
Spot Review 5
52. Spot Review 5 (also known as SROO5) concerned Michael Rudkin, who had
informed Second Sight that he had witnessed a POL employee talking about
accessing (and actually accessing) live Horizon data from the basement of
Fujitsu’s offices in Bracknell in August 2008.
53. I didn’t take the lead in responding to SROOS5 but I did assist with some aspects
of the response at an early stage. It is my understanding that work on the
response was undertaken by a number of people in POL and Fujitsu in order
to ascertain who Mr Rudkin might have spoken to.
Page 15 of 101
54.
55.
56.
57.
58.
WITNO00460400
WITNO00460400
I can see that, on 6 June 2013, I sent some initial comments on two emails in
the email chain at [FUJ00087028]. My comments were interposed with these
two emails and prefixed with my initials GlJ.
The first email on which I commented was from lan Henderson, which he had
sent on 3 June 2013. I inserted short responses to seven questions Mr
Henderson had asked about the ability of the POL team in Bracknell to
undertake transaction corrections, rem out type transactions and journal
adjustments to live data. I worked in Bracknell, had visited the basement many
times and knew enough about the team that worked there to know that they
were testers who could only access test data, not live data (the test and live
systems being completely insulated from each other). I therefore thought that
the premise of SROO5 was incorrect. I explained this in my responses. I also
said that Fujitsu operations and support staff (unlike the POL team in the
basement at Bracknell) had the ability to inject transaction corrections and rem
out type transactions, as well as to make journal adjustments, to live Horizon
data. I made this point because I felt it was important to acknowledge that,
even though the team of POL testers in the Bracknell basement (which I
understood Mr Rudkin had visited) had no remote access to live data, there
were teams of Fujitsu employees not based in the basement who did.
The second email upon which I commented was from Pete Newsome, which
he had sent on 4 June 2013. My responses mainly repeated the point that the
POL team in the Bracknell basement could only access test data, not live data.
I did not send my comments on these two emails direct to lan Henderson (or
anyone else from Second Sight). I sent them to colleagues in Fujitsu. I
assumed that they would forward them to POL, who would use them in
responding to SROOS.
I see that POL emailed its response to SRO05 to Second Sight on the evening
of 6 June 2013 [POL00029593]. I assume that the response attached to this
email is the undated two-page document at [POL00029594], although I have
Page 16 of 101
WITNO00460400
WITNO00460400
seen longer versions of this response at[POL00029824] and [POL00031346]
(both of which are also undated).
59. It appears that others were able to contribute to the response in more detail
given the underlying work which had happened (see, for example,
[FUJ00124449] and Bill Membury’s references to the underlying
documentation about the technical segregation of the test and live systems).
However, I can also see that the response, in some respects, took account of
my answers to the seven questions in Mr Henderson’s email of 3 June 2006.
That said, there are differences. For example:
a. I had said I could not respond to question 2, noting that “it was probably
one for Bill” (meaning Bill Membury). The response POL sent to Second
Sight dealing with question 2 was written by someone other than me. I
do not know who did write it.
b. The response POL sent to Second Sight dealing with question 4 was
completely different from what I had written. Again, I do not know who
did write it.
c. The response POL sent to Second Sight dealing with question 7 did not
include my reference to Fujitsu's teams having the ability to inject
transaction corrections etc. into live Horizon data. I do not know why POL
omitted this part of my explanation in its response.
60. For completeness, I have looked at the longer versions of the response at
[POL00029824] and [POL00031346]. I do not believe that any of the additional
material that appears as issues 1, 2 or 4 within these responses was provided
by me. I assume this additional material was written by POL and/or Bond
Pearce.
61. It may be that these longer versions of the response were written as a result
of questions asked by Ron Warmington on 11 June 2013, which expressed
dissatisfaction with the relevance of POL’s response [POL00029598]. I did not
Page 17 of 101
62.
63.
64.
WITNO00460400
WITNO00460400
see this email at the time. It seems to be connected to a meeting between
Second Sight, POL and Fujitsu the following day (recorded at
[FUJ00087053]). I am not listed as attending this meeting and have no
recollection of it (and having checked, I was on holiday that week).
I can see that, on 19 June 2013, in the context of SROOS, I sent an email
setting out that POL staff had no capability to “manipulate” branch accounts in
Legacy Horizon [POL00296678]. Referring to the POL Operations Manual
(which I may not have seen before), I would not have considered transaction
corrections issued by POL a means of manipulating branch accounts. POL
generated transaction corrections through an interface to POLSAP and sent
them to the branch through standard interfaces which were audited. To my
mind, this did not amount to injecting transactions into the live Horizon system
(and thereby manipulating or changing branch data). Rather, it was a means
by which POL could seek permission from authorised users in the branch to
correct the branch accounts. If those users consented to the transaction
correction, new transactions would be added into the branch accounts
associated with the user who authorised the Transaction Correction. No data
would be deleted from the branch accounts. I can see that Mr Ismay was
copied into the email chain at [POL00296678] and was asked questions (by
Mr Allchorn) about POL’s ability to access branch accounts.
I can also see that, on 24 June 2013, I became briefly involved again in SROOS
when I responded (indirectly) to a question from lan Henderson which seemed
to confuse the injection of transactions into the BRDB of Horizon Online and
the processing of cash rems [FUJ00087066]. I haven’t seen any material
suggesting that I had any involvement in responding to SROO5 after that.
Whilst I didn’t see this email at the time, my lawyers have shown me
[POL00021696], which indicates that, on 1 July 2013, Second Sight found
material indicating that the person Mr Rudkin had met in the Bracknell
basement in August 2008 was Martin Rolfe. I knew Martin fairly well: he was
working as a tester at that time and, as far as I am aware, neither he nor his
POL colleagues would have had access to any live Horizon data. I understand
Page 18 of 101
WITNO00460400
WITNO00460400
from the Inquiry’s disclosure that when Martin Rolfe was identified, POL
obtained a witness statement from him about his meeting with Mr Rudkin.
65. Second Sight made findings about POL’s response to SROOS in their interim
report dated 8 July 2013 [POL00029744], which I address below.
The Second Sight reports
66. The Inquiry has asked me whether, in my view, Second Sight had access to a
sufficient level of technical information about the Horizon IT System to arrive
at any safe conclusions about its integrity. I find this question difficult to answer
as I don’t know, overall, what information Second Sight was given by POL in
respect of every Spot Review. Moreover, my involvement with Second Sight
fell away after its interim report of 8 July 2013 was published and the Spot
Reviews were subsumed into the Mediation Scheme.
67. Looking at the interim report now, its stated focus was on “systemic issues’,
which Second Sight defined to mean “system-wide issues”, i.e. issues
affecting the whole estate. I was not aware of any reluctance on Fujitsu’s part
to provide Second Sight with technical information relevant to Horizon or any
issues within it. As far as I was aware, Fujitsu provided whatever technical
information POL told us Second Sight wanted. Plainly, in reaching its
conclusions, Second Sight took into account materials on the Receipts and
Payments Mismatch bug and the Suspense Account bug.
68. The six preliminary conclusions of Second Sight are listed at paragraph 8.2 of
the interim report:
a. The first conclusion (paragraph 8.2(a)) states that “We have so far found
no evidence of system wide (systemic) problems with the Horizon
software”. As a software engineer working on Horizon for many years,
this was the conclusion in which I was most interested. I was also
Page 19 of 101
WITNO00460400
WITNO00460400
unaware of any system-wide problem with Horizon’s software, i.e. a bug
that had caused discrepancies across the entire estate.
b. The second conclusion (paragraph 8.2(b)) refers to the Receipts and
Payments Mismatch bug and the Suspense Account bug, both of which
occurred in Horizon Online. I can see that POL forwarded my papers
about these two bugs to Second Sight on 21 June 2013 [POL00188670].
I agree with how the Second Sight report describes these two bugs.
c. The third conclusion (paragraph 8.2(c)) appears to be based on SRO01.
It is expanded on in Appendix 1 to the report. Paragraph 1.9 of Appendix
1 acknowledged that Horizon “did operate in accordance with its design”
in relation to Lepton branch (which was also my stated view concerning
SRO01) but was critical of the timing of the receipts printed. I have
addressed SRO01 earlier in this statement.
d. The fourth and fifth conclusions (paragraphs 8.2(d) and (e)) appear to
be criticisms of POL, not Fujitsu or the Horizon application, and I don’t
know enough to comment on them.
e. I don’t think I can really comment on the sixth conclusion (paragraph
8.2(f)) other than to say that it is consistent with my general recollection
that some SPMs did experience these sorts of problems.
Appendix 2 to this report addressed SROO5 and stated that enquiries were
ongoing due to a conflict of evidence. As I have explained earlier, I understood
that POL and Fujitsu had done a lot of work in demonstrating why the POL
team working in the basement in Bracknell (including Martin Rolfe) could not
access any live Horizon data.
Page 20 of 101
WITNO00460400
WITNO00460400
Events after the Second Sight interim report
70. It is only in the past few years that I have begun to piece together the effect
that Second Sight’s interim report had on POL’s prosecutions. I am still not
sure that I have the full picture.
71. Inow understand that this report led directly to advice from Simon Clarke (who
I understand was a barrister employed by Cartwright King) dated 15 July 2013
[POL00006357]. This advice was highly critical of me and has had far-
reaching consequences. I was not aware of this advice (nor any such criticism
of my integrity) at the time it was produced. I only became aware of it when it
was disclosed in late 2020 during the Court of Appeal proceedings which
quashed the convictions of a number of SPMs. Until that point, I did not know
that over seven years earlier I had been accused by POL’s lawyers of failures
of disclosure as an expert witness in its prosecutions. If anyone asked me
about giving evidence in prosecutions or spoke to me because of these
criticisms, it was not apparent to me. I was unaware of the advice when POL
asked me and I agreed to assist with various matters between 2013 and 2020,
including the group civil proceedings.
72. It seems that Simon Clarke's advice was produced because Second Sight
became aware of three bugs in Horizon, which they referenced in their interim
report. This report referred to the Receipts and Payments Mismatch bug and
the Suspense Account bug (both of which had affected Horizon Online) at
paragraphs 6.4 to 6.9. Paragraph 6.10 referred to the Callendar
Square/Falkirk bug (which had affected Legacy Horizon).
73. Adraft of Second Sight’s interim report (or perhaps a summary of it) seems to
have been provided to POL by late June 2013, since it was referred to in a
short telephone call on 28 June 2013 involving me, Simon Clarke and Martin
Smith. I understood that Mr Smith and Mr Clarke were colleagues at
Cartwright King. There is a transcript of this call at [POLO0142322]. I don’t
remember this call at all. I do not know if this transcript is an accurate and
complete record of the call, whether it reflects everything I said or whether
Page 21 of 101
74.
75.
WITNO00460400
WITNO00460400
anything I said was misunderstood by Mr Clarke or Mr Smith. I did not know
until this Inquiry that the call was being recorded and a transcript had been
produced. I do not believe that I had ever spoken to Mr Clarke previously.
Halfway through the call, Mr Clarke made clear that Mr Smith was also
listening in. This call came out of the blue and they asked me some questions
about a prosecution of an SPM I had never been involved in (that of Mrs
Samra). I confirmed, in response to Mr Clarke’s questions, that information
had been provided to Second Sight about bugs in Horizon Online. According
to the transcript, I explained the distinction between the integrity of the audit
data and the existence of these bugs. I am recorded as having said that it
could never be said that there were no further bugs beyond those discovered.
It seems that I may have had a conversation with POL on the same day (28
June 2013, which was a Friday). I say this because I emailed Lesley Sewell
of POL my witness statement of 8 October 2010 in Mrs Misra’s case at
10.16am [FUJ00124694]. Simon Baker then emailed me (in a new chain) at
6.50pm, asking: “You mention discussing the Falkirk bug in the Misra case
today, are there any other examples where bugs have been discussed in
court?” [POL00062368]. I can see that I replied to his email the following
Monday (1 July 2013) at 9.21am to confirm that I was not aware of any other
specific bugs being discussed in court (as the Inquiry will be aware, I had not
given evidence in court in any case save for Mrs Misra’s). Later that day,
Jarnail Singh emailed me to ask which bugs had been referred to in Mr
Castleton and Mrs Misra’s cases [FUJ00154223]. I replied to confirm that in
both cases the Callendar Square/Falkirk bug had been discussed. It was
unclear to me why POL was asking me to explain what had been discussed
at court in its cases, particularly when Mr Singh had been the lawyer involved
in Mrs Misra’s case.
Although I didn’t see it at the time, I have now read an email sent by Mr Singh
to various people at POL on 30 June 2013 [POL00060572]. Mr Singh refers
to the call that Mr Clarke and Mr Smith had had with me on 28 June 2013. At
paragraph 5, Mr Singh implied that POL had only just learned about two bugs
in Horizon, that this was because I had disclosed them to Second Sight and
Page 22 of 101
76.
WITNO00460400
WITNO00460400
that POL was unaware of any other bugs. I am also aware now that in Mr
Clarke's advice [POL00006357], he suggested that Mr Singh was not aware
of any bugs. I also note that Mr Clarke’s account of the telephone call with me
differs from the transcript which the Inquiry has.
Looking at Mr Singh’s email now, I find the suggestion that POL only knew
about these bugs because I informed Second Sight about them very
surprising. I will not repeat all of the evidence I have given in my previous
witness statements to the Inquiry, but in summary:
a. My clear understanding was (and remains) that POL knew about bugs
which had caused discrepancies in branch accounts, both in Legacy
Horizon and Horizon Online. Over the course of many years, POL had
had to sign off each new software release rolled out by Fujitsu on Legacy
Horizon and Horizon Online. These software releases contained lists
and brief descriptions of the bugs that were being remedied. Information
about bugs had also been regularly shared by Fujitsu’s problem
management team to their counterparts in POL (and vice versa). There
were other less formal channels of communication including emails in
which Fujitsu and POL discussed bugs they had discovered. To take
only some of the most prominent examples: discussions between Fujitsu
and POL about the Callendar Square/Falkirk bug in 2006 (see
[FUJ00083721)); Fujitsu telling POL about the Remming Out bug in 2007
(see [FUJ00121071]); Fujitsu telling POL about the Craigpark bug in
2008 (see [FUJ00155252]); Fujitsu telling POL about the Receipts and
Payments Mismatch bug in 2010 (see [FUJ00081137]); and POL
knowing about the existence of the Suspense Account bug before Fujitsu
did (see [FUJ00083375)]). I am unable to explain why, in late June 2013,
some of POL’s lawyers and commercial managers seemed suddenly
surprised to learn that Horizon had been affected by bugs.
b. I had myself referred in the course of legal cases to faults in Horizon or
bugs. In my witness statement in Mr Thomas's case in 2006, I had
explained that Fujitsu relied on the PEAK system, which I said was “used
Page 23 of 101
77.
78.
WITNO00460400
WITNO00460400
for passing faults around the team and tracking faults raised regarding
the Post Office Account” (see [FUJ00122229]). In Mrs Misra’s case, I
had referred POL’s lawyers to the existence of 200,000 faults on the
PEAK system (see [FUJ00153159]); I had told the defence expert
Professor McLachlan and been cross-examined at court about the
Known Error Logs maintained by Fujitsu (see [POL00055059]); I had
referred in my email correspondence, provided to Mr Singh, to the
problem of transactions being lost due to a locking problem (see
[FUJ00152930]); and I had given written and oral evidence about the
Callendar Square/Falkirk bug (see [POL00001643)).
c. Anumber of people from POL had been involved in the response to the
Receipts and Payments Mismatch bug. I now know that Mr Singh and
others in POL’s criminal law team became aware of the Receipts and
Payments Mismatch bug in October 2010, days before Mrs Misra’s trial
commenced (see [POL00055410)).
If Mr Singh was trying to give the appearance in June 2013 that POL only
knew about two bugs in Horizon, which had only recently come to light as far
as POL was concerned, and only because I had disclosed them in the course
of the Second Sight investigation, then that was obviously wrong. Yet that
appears to be the basis on which POL and its lawyers (including Mr Clarke)
proceeded.
My lawyers have shown me [POL00029618]. From this, I can see that Mr
Warmington had made inquiries of POL about who knew about the Receipts
and Payments Mismatch bug and the Suspense Account bug:
“Also, the first report (on the Receipts and Payments Mismatch Problem)
mentions, on page 2 of 30, "this will assist in explaining the issue to
senior management and, if necessary, the Press". Can you please let
me know whether, when and who (at Board level) was informed about
this defect (and also the later Local Suspense Account defect) and
Page 24 of 101
79.
80.
81.
WITNO00460400
WITNO00460400
whether any Press Release was issued in respect of either of them? If
so, may I please see a copy of that?”
POL’s internal discussion subsequently considered how high, internally,
information about the bugs had gone. I do not know who the most senior
person was in POL who knew about these bugs between their discovery and
the point in time when Second Sight first said that they intended to refer to
them in their Interim Report.
I do not recall the taped conversation and have no recollection that Mr Clarke
spoke to me after 28 June 2013. He did not ask me whether there had been
any other bugs in Legacy Horizon or Horizon Online, nor how those bugs had
been communicated by Fujitsu to POL (or vice versa) at the time of their
discovery. He did not ask me to explain the circumstances in which I had
provided witness statements in POL’s prosecutions. He did not ask me what
instructions Mr Singh or any other lawyer had given me. His advice (dated 15
July 2013) [POL00006357] was therefore written without any information from
me about knowledge within POL about bugs in Horizon over many years; my
communications with POL and Cartwright King lawyers during the
prosecutions; my understanding as to what I was being asked to do by POL
and Cartwright King in those prosecutions; and what instructions or guidance
POL’s lawyers (including Cartwright King) had given me about my role.
I do not understand why Mr Clarke did not speak to me about any of these
matters. I understand that at one stage before preparing his advice, he seems
to have acknowledged that he would. My lawyers have shown me some
written advice he prepared on Ms Samra’s case of 2 July 2013
[POL00172804]. I did not see this advice at the time. Paragraph 7 of the advice
referred to the call that he and Mr Smith had had with me on 28 June 2013. At
paragraphs 21 and 22, Mr Clarke expressed concern that Fujitsu's statements
served in previous prosecutions had not referred to the bugs disclosed to
Second Sight, noting that:
Page 25 of 101
82.
83.
84.
85.
WITNO00460400
WITNO00460400
“This is a matter to be returned to at an appropriate time [...] In any event
I require a face-to-face conference with Gareth Jenkins upon publication
of the Second Sight report.”
I am as confident as I can be that this face-to-face conference with me never
happened.
My lawyers have shown me, from the Inquiry’s disclosure, a handwritten note
dated 2 September 2013 [POL00155555]. I understand from evidence
recently given to the Inquiry that Rodric Williams wrote this note. In his note,
which is difficult for me to interpret, Mr Williams appears to have
acknowledged that it was not thought I had ever been of advised of expert
duties. It records: “what were we doing to instruct GJ” and “don’t think he’s
ever been advised of his duties”. This is the important handwritten note I
referred to at the beginning of this statement. I understand from my lawyers
that there are very few handwritten notes in the disclosure. That concerns me
because it seems only as a result of this handwritten note that it is clear POL
knew in 2013 that there might be issues about whether it had instructed me or
provided me with information about expert duties. Otherwise, there is very little
email discussion about this issue, which is of clear importance to me. Again, I
mention this because no one from POL spoke to me about it in 2013 or in the
years that followed.
It is unclear to me whether, after receiving Mr Clarke’s advice, POL or
Cartwright King reviewed any of the relevant case files to see what instructions
I had been given or whether I had been advised of the duties of an expert
witness. I do not know whether any of the prosecution lawyers I had dealt with
— such as Jarnail Singh, Rachael Panter, Martin Smith or Andrew Bolc — were
asked questions about these matters. I do not know whether POL ever
disclosed its understanding that I had not been properly instructed as an
expert to Brian Altman KC or the Criminal Cases Review Commission.
It does seem, however, that Mr Clarke’s advice prompted POL to consider
how best to inform Fujitsu that I had not complied with expert duties (see
Page 26 of 101
86.
87.
88.
WITNO00460400
WITNO00460400
[POL00297607] and [POL00297764)). It also appears that it prompted POL to
instruct its lawyers to prepare two documents addressed to Fujitsu. One was
called a “shot across the bow” and the other was a ‘letter of claim”
[POL00193383]. I believe one of these documents may be the draft that
appears at [POL00140620] although I cannot be certain. The draft states that
“Post Office was [...] disappointed to discover that witness evidence prepared
by Fujitsu may not have been fully disclosing historic (albeit known and
resolved) defects.” I assume this is a reference to the witness statements I
signed in POL’s prosecutions. There are gaps in the documents and so I
remain unclear exactly what POL told Fujitsu about my status in its
prosecutions or what happened to POL’s letter of claim against Fujitsu. In any
event, I was never asked about or involved in these discussions.
My understanding now is that, shortly after Mr Clarke’s advice, POL instructed
Brian Altman KC. My lawyers have shown me written advice he produced on
15 October 2013 [POL00006803]. Again, I did not see this advice at the time,
nor did I know until late 2020 or early 2021 that a silk was giving advice to POL
about my evidence in a number of its prosecutions. At paragraphs 147-148 of
this advice, Mr Altman KC concluded, in respect of me, that I was:
“in breach of his duty as an expert, that his credibility as an expert is
accordingly fatally undermined, and that he could no longer be relied
upon to give expert evidence [...] I am unclear whether Mr Jenkins was
challenged about the non-disclosure to POL and, if so, what his
explanation was for it.”
Again, to be clear, I was not asked about ‘non-disclosure’ to POL nor asked
for any explanation for it. I did not know that these were even issues being
considered by POL.
It seems that the terms of reference drafted by POL’s lawyers for Mr Altman
KC included a question about whether Mr Altman KC should meet me
[POL00298011]. He seems to have acknowledged that this required careful
consideration [POL00021981]:
Page 27 of 101
WITNO00460400
WITNO00460400
“Not meeting and hearing him [Mr Jenkins], where there may be
questions potentially impacting on non-disclosure by him, and his role as
an expert, risks exposing the final report to criticism. However, this is not
a judicial or public inquiry with the formal receipt of evidence. This is
something I shall need to think about very carefully; at this very early
stage I am not unnaturally undecided.”
89. Ultimately, it seems that Mr Altman KC and/or POL decided that he should not
meet me or hear from me. I was not therefore able to give an account to Mr
Altman KC.
90. The email chain at [POLO00169308] suggests that POL (and Cartwright King)
knew that there was a sensitivity about my role and that what was said to me
about ongoing prosecutions needed to be handled with considerable care. I
have also noted that POL appears to have received advice from Andy Parsons
at Bond Pearce about minimising the Helen Rose report because it was
alerting convicted SPMs to problems with the evidence I had given
[POL00020634].
91. I was disturbed to learn these things when reading the documents disclosed
by the Inquiry. I had been asked to assist in 2013 with drafting terms of
reference for the external expert I understood was to be appointed to give
evidence on Horizon (a copy of these can be found at [FUJ00156908]). As I
have explained in my third witness statement to the Inquiry at paragraphs 692
to 700 [WITN004604300], I was told by Fujitsu on 3 December 2013 that my
involvement in POL’s prosecutions had ceased because there had been some
legal advice given to POL concerning the “rules of evidence” which meant that
POL now needed to consult an “external expert” [FUJ00156923]. That
remained my understanding until late 2020, when I first learned of Mr Clarke’s
advice.
92. Iwas not asked or challenged by anyone in 2013 (or in the seven years that
followed) about breaches of expert duties or disclosure obligations. If anyone
Page 28 of 101
WITNO00460400
WITNO00460400
did raise with me that POL did not want me to give evidence in the GLO
proceedings because I had given evidence for POL in its prosecutions many
years earlier, it was not apparent to me that this was because I was regarded
as having breached any duties or disclosure obligations.
93. It is only recently, in the criminal investigation and now in this Inquiry, that I
have been asked to give an account of my evidence in POL’s prosecutions. I
came out of retirement to provide ad hoc advice to POL on specific issues
(such as the Project Bramble report which I address below). Most significantly,
POL asked me to assist with the group civil proceedings brought by former
SPMs in 2018-2019 (which I also address below). POL sought my assistance
with these and other matters without ever informing me that it had accused
me of breaches of expert duties and disclosure obligations in its prosecutions,
nor that it had effectively sought to blame me in 2013 for POL having to revisit
past cases. I find it very confusing and troubling that it took over seven years
for POL to make me aware of such serious issues.
Remote access
Rule 9(2) Request questions 203-205 and 207
94. The Inquiry has asked me a number of questions about remote access. I
addressed remote access in my second witness statement to the Inquiry at
paragraphs 147 to 157 [WITN00460200]. However, given the significance of
remote access to the Inquiry and in particular to the topics covered in phase
5, I hope it is helpful for me to give a more detailed explanation of it in this
witness statement.
Defining what “remote access” means
95. To my mind, the term “remote access”, in its simplest and broadest terms,
means accessing the live Horizon system from a location other than the
branch. Beyond this, however, “remote access” seems to have been used in
different ways, and has been interpreted to mean different things, depending
Page 29 of 101
WITNO00460400
WITNO00460400
on the context. This risks confusion. In order to clarify the types of remote
access that may be relevant to the Inquiry, I think it is important to draw a basic
distinction at the outset between remote business access available to POL
and remote support access available to Fujitsu.
Remote business access available to POL
96. As far as I am aware, the only type of remote business access available to
POL in respect of live Horizon data were transaction corrections and
transaction acknowledgements (I say /ive data because, as explained above,
POL employed a team in the basement of Bracknell’s office, including Martin
Rolfe, who could access test data). Transaction corrections were introduced
as part of Project Impact in around 2005 and POL used them in Legacy
Horizon and Horizon Online. Transaction acknowledgements were introduced
as part of Project Ping in around 2011 and POL used them in Horizon Online.
POL did not inject either transaction corrections or transaction
acknowledgements into live data and neither automatically changed the
branch accounts. Instead, both generated a screen interaction that users in
the branch had to accept before the transaction correction or transaction
acknowledgement had an impact on the branch accounts.
97. I have seen an email dated 14 April 2014 in which I replied to questions that
had been asked of Fujitsu by Rodric Williams of POL on behalf of Second
Sight [FUJ00087 100]. Second Sight had asked the question: “Can Post Office
change branch transaction data without a subpostmaster being aware of the
change?” I answered “no”. This answer reflected my understanding, which
remains, that POL could not inject transactions into an SPM’s branch
accounts. Transaction corrections and transaction acknowledgments did not
involve POL changing the branch accounts without branch users being aware
of the change. This is because (as set out above) they both led to a screen
interaction which resulted in the branch staff generating (and thereby being
aware of) the transaction which would change the branch accounts.
Page 30 of 101
WITNO00460400
WITNO00460400
Remote support access available to Fujitsu
98. The closing submissions of Fujitsu in phase 3 of the Inquiry [SUBS0000025]
drew a distinction between three types of remote support access available to
Fujitsu:
a. The use of read-only remote access for diagnostic and
investigative purposes.
b. The use of remote access to make technical system changes (which the
closing submissions called “housekeeping remote access”). This would
include software and reference data changes which were controlled by
business processes and which were designed to improve the operational
performance of counters.
c. The use of remote access to correct an error (which the closing
submissions called “substantive remote access’).
99. I would agree with this distinction. Throughout my career, I did not myself use
any of these three types of remote support access (apart from read-only
remote access in Horizon Online, i.e. the first type of remote access identified
in Fujitsu’s submissions). None of my roles ever required me to use the second
or third types (or the first type in Legacy Horizon). My understanding is that
the second and third types were used by members of the SSC and SOT. As a
result, remote access rarely came up as something I needed to consider. My
understanding of the more operational or process driven aspects of it (like the
‘four eyes’ control) would have come from colleagues in the SSC or SOT.
100. I think the third type of remote access identified in Fujitsu’s submissions
encompasses both the injection of transactions and the injection of data. I
draw this further distinction because injecting transactions (sometimes called
balancing transactions) would have affected branch accounts, whereas
injecting data may have had an effect (but more likely had no effect) on branch
accounts. An example of data which would not affect branch accounts would
Page 31 of 101
WITNO00460400
WITNO00460400
be where a stock unit had been locked by a user who was unavailable to
unlock it and the SSC injected data to unlock it.
101. My understanding is that the Inquiry is most interested in the injection of
transactions and data that did have an impact on branch accounts. Therefore,
in this statement, that is what I am referring to when I use the term “substantive
remote access”.
102. To be clear, “substantive remote access” does not encompass accessing audit
data stored in the audit server. Once data was committed to the audit server,
my view was (and remains) that nobody could add to, edit or delete it without
detection (except where audit data was periodically deleted because it had
passed its archiving expiry date, e.g. seven years for transaction data, those
expiry dates having been agreed by POL). The audit data could be accessed
using an audit workstation but only by specially authorised people in Security
and for the purposes of extracting it, either in its entirety or by creating subsets
of it for populating the ARQ spreadsheets (and conducting these extractions
did not add to, edit or delete any of the audit data held in the audit server). By
substantive remote access, I am referring to Fujitsu’s ability to access and
inject transactions and data into live Horizon data before it was committed to
the audit server.
103. I also wish to reiterate that I never thought there was anything secretive about
the fact that Fujitsu used substantive remote access. I referred to it on a
number of occasions (see paragraph 23 above). My paper on the Receipts
and Payments Mismatch bug dated 28 September 2010, for example, which
was shared with POL and its lawyers, contemplated that Fujitsu might use a
form of substantive remote access (with the prior knowledge of the SPMs and
POL) to correct the effect of the bug in the affected branches [FUJ00083353].
I proposed that, if Fujitsu were to inject data into the BRDB, this would involve
the development of a bespoke script that could be tested and then applied by
the SOT to the live data held in the BRDB as a software change (according to
a timetable to be agreed with POL).
Page 32 of 101
WITNO00460400
WITNO00460400
104. I do not know how it would have been feasible to operate Horizon without
substantive remote access. As far as I am aware, every computer system,
large or small, has a form of substantive remote access built into it.
My understanding in 2014 of substantive remote access
105. The Inquiry has asked me to describe my state of knowledge in 2014 of
Fujitsu’s past and present ability to insert, delete or edit data in Horizon that
could affect branch accounts in any way. I understand that this question is
referring to substantive remote access. To answer this question, I will refer to
some emails and documents I wrote or saw between 2014 and 2016, as I
believe that these provide an insight into my state of knowledge during this
period.
106. In the years when Legacy Horizon was operational (i.e. up to 2010), my
understanding from my colleagues was that, on the rare occasions it was
used, the default position was that substantive remote access was done at the
correspondence server. During this period, I may have been told that
substantive remote access had been done at the counter on one or two
occasions (although I cannot now remember and cannot point to any
examples of this). My lawyers have looked at the Inquiry’s database but they
have been unable to find any records where I gave advice about substantive
remote access at the counter. However, I am aware that Anne Chambers
emailed me and others in 2007 and referred to a possible case for “writing a
corrective message at the counter” in relation to a particular problem she was
dealing with [FUJ00142197]. My lawyers have not found any reply from me on
the Inquiry’s database and I am not mentioned on the associated PEAK at
[POL00023765]. It is difficult to say therefore what I thought or understood in
2007 about what Anne was proposing (i.e. whether she meant writing a
message at the correspondence server which would cause it to be replicated
to the counter or writing a message at the counter itself). I do note though that
in her email, Anne refers to taking the question up with Tony Jamasz or Gary
Page 33 of 101
WITNO00460400
WITNO00460400
Blackburn of POL, so she was clearly adopting an open approach to POL
about the possible use of substantive remote access.
107. At this time, in 2007, I doubt that I would have drawn, or thought a great deal,
about any distinction between substantive remote access at the counter and
substantive remote access at the correspondence server.
108. Turning then to the emails, I can see that, on 14 April 2014, I replied to James
Davidson (of Fujitsu) about questions which had originated from Second Sight
and which had been forwarded by Rodric Williams (of POL) [FUJ00087100].
Some of these questions concerned an email exchange between Andy Winn
and Alan Lusher (both of POL) which discussed substantive remote access
by Fujitsu in 2008 (i.e. in Legacy Horizon). A copy of this email exchange,
which dates from October 2008, is at [POL00029710].
109. One of the first questions was “Can Fujitsu change branch transaction data
without a subpostmaster being aware of the change?” This question was
general in nature and seemed to encompass Legacy Horizon and Horizon
Online. My answer was as follows:
“Strictly no, in that data cannot be changed. However additional data can
be inserted, but this is very rare. The mechanisms for doing this were
very different between the old Horizon system and the new Horizon
Online system. In response to a previous query we checked last year
when this was done on Horizon Online and we found only
one occurrence in March 2010 which was very early in the pilot. We don't
have explicit details for the old Horizon system, however it would be clear
from the spreadsheets produced from the audit trail if such data have
been injected as it would appear to have been written at the Data Centre
and not at the counter.”
110. My response reflected my understanding or memory in 2014 of what
substantive remote access in Legacy Horizon had involved. I was working on
Page 34 of 101
WITNO00460400
WITNO00460400
the assumption that, on the rare occasions it had arisen, substantive remote
access had happened at the correspondence server.
111. Mr Williams asked why this remote access functionality was built into the
system design. Again, this was an open question which seemed to encompass
both Legacy Horizon and Horizon Online. I responded that it was to allow for
data to be accessed if there were any defects found in the system.
112. Mr Williams asked why Fujitsu would need to use this functionality. I referred
to my previous answer and added that it would only be done under instructions
from POL. This reflected my understanding in 2014 that POL had to approve
Fujitsu’s use of substantive remote access in Legacy Horizon and Horizon
Online.
113. Mr Williams asked what controls were in place to prevent the unauthorised
use of this method of access. I explained that this was controlled by normal
operational procedures and that ‘Ops’ (i.e. the SOT) should have these details
as these procedures were audited. I think my answer makes clear that I did
not have these procedures to hand and was not familiar with them (which
reflects that I had never had to use them).
114. Mr Williams asked when these powers had been used. I referred to knowing
of only one instance in Horizon Online (this was based on work Fujitsu had
conducted in 2013). I said that I didn’t know about Legacy Horizon but said I
believed the use of substantive remote access on that system had been very
rare. I think that this belief would have been based on how rarely it had been
raised with me prior to 2010 and from what I had understood from SSC staff
such as Anne Chambers and John Simpkins.
115. Mr Williams then asked some further questions about the Winn/Lusher email
exchange, so my answers were focused on Legacy Horizon. I explained that:
a. The "message store” was the repository (or database) where all
transactions were written.
Page 35 of 101
WITNO00460400
WITNO00460400
b. Data in the message store could not be changed, but new data could
be injected into it.
c. Any such injected data would be tightly controlled by operational
processes.
d. The "impact" of this change on branch records would depend on exactly
what records were injected.
e. The SPM would “not necessarily” be aware of the change.
f. This method of access would be used to correct errors resulting from
software defects.
g. The controls in place to prevent misuse of this method of access were
standard operational processes.
116. My answer “not necessarily” reflected my inability to say for certain what the
position was. I could not say whether POL had always told the SPM about
Fujitsu’s use of substantive remote access in Legacy Horizon. As I have said
previously, when I proposed a form of substantive remote access in relation
to correcting the effects of the Receipts and Payments Mismatch bug in
September 2010, I worked on the assumption that POL and the SPMs would
be informed about its use (see my reference to their being “happy” with
Fujitsu’s proposed use of it [FUJ00083353)).
117. On 8 July 2015, I produced a paper entitled ‘Old Horizon’ [POL00021783]. I
cannot remember the exact genesis of the paper (and I had retired by this
point). The paper explained that:
“There were processes in place to allow 3" line support staff to inject
messages if necessary in order to correct issues. Any such injection
would have been subject to the operational change processes and any
Page 36 of 101
WITNO00460400
WITNO00460400
such change would have been signed off by Post Office Ltd... Any such
message would be included in the audit trail [...] this means that it should
be possible to identify them if they had occurred [...] The SSC may have
details of any such process. I don’t have such information. I am not
aware of any specific instances where this would have happened and I
do know that it would only have been done if there was no other option
to correct a fault.”
118. I think this paper made clear that I didn’t have the first-hand knowledge to
provide information about occasions when substantive remote access in
Legacy Horizon had been used. This is information that the SSC would have
had. I don’t recall being asked any questions about this paper after I submitted
it (and I haven't seen any emails to this effect). I don’t know (because I had
retired) whether anyone in Fujitsu carried out further work arising from the
information that I couldn't provide.
119. The Inquiry has also referred me to two documents dating from August 2016.
[FUJ00087187] is a note dated 12 August 2016 prepared by Alan Holmes,
which records a conversation he says he had with me about substantive
remote access in Legacy Horizon. I think the note contains a typo when it
states that this conversation occurred on 12 August 2015. My understanding
is that the note was emailed by Alan Holmes to a group of Fujitsu recipients
on 15 August 2016 [FUJ00087185], although I was not copied into the email
(again, probably because I had retired from Fujitsu over a year earlier).
120. The Inquiry has asked me whether Alan Holmes’ note fairly reflects what I said
to him. The key parts read as follows:
"[...] It was possible to inject messages into the central message store
and these would be transmitted to the relevant counter message store.
This was the process that was used to effect the equivalent of
transaction corrections in old Horizon. Any such correction entered this
was [sic] would be recorded with a node Id of the central correspondence
Page 37 of 101
WITNO00460400
WITNO00460400
server (>32) and would be included in the standard branch audit trail.
Thus they are readily identifiable [...] unlike the current Transaction
Correction tool which restricts the types of corrections that can be made,
it was previously possible to inject any sorts of messages into the branch
transaction stream."
121. I don’t remember whether there was any context for Alan Holmes’ call but it
seems to have come somewhat out of the blue during my retirement. I don’t
know whether this note captures everything I said to Alan Holmes or the exact
words I used but it reflects what I remembered at the time (in 2016) about
substantive remote access in Legacy Horizon.
122. The Inquiry has asked me to explain why Alan Holmes recorded me as saying
that “any such correction entered this [way] would be recorded with a node Id
of the central correspondence server (>32) and would be included in the
standard branch audit trail”. I believe I would have said this to Alan Holmes. It
would have reflected my understanding or recollection in 2016 that in Legacy
Horizon, on the rare occasions it was used, substantive remote access was
done at the correspondence server (which bore a Node ID of 32 or more),
which made it possible to identify the injections in the raw audit trail.
How my understanding of substantive remote access evolved after 2016
123. I have considered how my understanding of substantive remote access
evolved after 2016. I have identified a number of ways in which it evolved.
124. In 2017, I was asked by POL to assist with drafting a paper (as part of Project
Bramble) as to whether substantive remote access could be used maliciously
or for unauthorised purposes, and whether so-called “Super Users” in Horizon
Online were subject to sufficient controls. This provided me with further
understanding about substantive remote access. I have set out this work at
paragraphs 141 to 147 below. Whilst this work deepened my understanding
Page 38 of 101
WITNO00460400
WITNO00460400
of remote access, it did not suggest to me that my prior understanding of it (as
summarised above) was wrong.
125. My understanding of substantive remote access also evolved as a result of my
involvement in the civil proceedings in 2018-2019. As I set out below, this
deepened my understanding of the SSC’s use of substantive remote access
in Legacy Horizon, including at the counter. I believe that I may well also have
heard the word “APPSUP” (in relation to Horizon Online) a few times in my
final years at Fujitsu but I didn’t know exactly what it meant. During the civil
proceedings, I learned that “APPSUP” (or the “APPSUP role”) referred to a
privilege which gave members of the SSC remote access to live data on
Horizon Online. I do not know enough about it to explain why it was necessary,
the circumstances in which it might have been used or how frequently it was
used (if at all). I am also unclear as to exactly what data this role enabled to
be accessed and in which way. I would need to defer to the Oracle database
experts such as Andy Beardmore, Peter Jobson and Gareth Seemungal.
126. As a result of the civil proceedings in 2018-2019 and now this Inquiry, I have
also learned that there were rare occasions when POL were not told, and did
not approve, Fujitsu’s use of substantive remote access, and that this was
contrary to Fujitsu's procedures. This was inconsistent with my previous
understanding that POL always approved each incidence of substantive
remote access.
127. This evolution in my understanding of substantive remote access is relevant
to a particular question the Inquiry has asked me, which is whether I accept
that unaudited privileges that allow a person to add to or amend data within
branch accounts posed risks to the integrity of those accounts, even if that
person did not intend to use those privileges for improper purposes.
128. Knowing what I know now, I understand that this risk may, in theory, have
existed. However, Fujitsu could only add new transactions and data, not
amend existing transactions and data. Moreover, the only point of adding new
transactions and data was to ensure that the branch accounts accurately
Page 39 of 101
WITNO00460400
WITNO00460400
reflected the transactions conducted at the counter. I had faith in the proper
implementation of the processes for substantive remote access, including
adhering to the safeguards I understood to exist, which would identify what
had been inserted and who had inserted it. I cannot recall learning of any
occasion when incorrect data was inserted into Horizon.
129. As a result of the civil proceedings, the SSC provided details about the very
rare occasions when they had injected a transaction or data at the counter in
Legacy Horizon. Generally, that would have made the transaction or data
more difficult to detect as having been injected remotely than if they had
injected the transaction or data at the correspondence server. However, I have
also read the evidence of Anne Chambers in this Inquiry that, on the extremely
rare occasions she injected transactions or data at the counter, she adopted
the User ID of the end user but usually left a ‘comment’ indicating that she
(rather than the end user) had injected the transaction or data (the position
would be different if nobody was logged on at the counter, since then the
injected transaction or data would not be associated with any end user’s User
ID). The transaction or data injected at the counter should therefore have had
additional special attributes associated with it, indicating that it had been
injected remotely by Fujitsu. These special attributes would have been
included in the messages that were committed to the audit server. As such,
the fact that Fujitsu had injected the transaction or data remotely at the counter
would have been detectable in the raw audit data. I also came to understand,
during the GLO proceedings, that there were occasions when injections at the
counter in Legacy Horizon would bear a “fictitious” Node ID associated with a
counter which was not used, i.e. again, so that it would be clear that the
transaction or data had not been injected by a branch user.
130. On that basis, I can see now that there might have been a risk to the integrity
of branch accounts in Legacy Horizon if: (a) Fujitsu inadvertently injected an
incorrect transaction or data at the counter, and (b) this injection occurred
whilst the branch user was logged in (such that their user ID was used by
Fujitsu), and (c) Fujitsu did not inform the SPM that they had injected the
transaction or data, and (d) Fujitsu did not inform POL (who therefore had no
Page 40 of 101
WITNO00460400
WITNO00460400
opportunity of informing the SPM) that they had injected the data (or POL knew
but did not inform the SPM), and (e) Fujitsu did this without adding a comment
or any other special attribute in the data. But all that said, to my knowledge,
the only people who ever undertook this exercise were highly skilled computer
engineers working to the processes for substantive remote access. I did not
think, at the time, that any risk to the integrity of the branch accounts arose.
Even now, I have no reason to think such errors occurred or that proper
procedures were not adhered to that would have affected the integrity of the
branch accounts. I do not know whether any of the circumstances set out in
this paragraph ever combined.
131. In relation to Horizon Online, I do not know enough about APPSUP to say
whether it posed a risk to the integrity of branch accounts, but I am aware that
Mr Justice Fraser found that it was a powerful privilege. I don’t know how
powerful it was, but there should have been appropriate written procedures
governing its use and audits of those procedures to ensure it was being used
appropriately. I cannot recall learning of any occasion when incorrect data was
inserted into Horizon Online using APPSUP, nor has the Inquiry drawn my
attention to any.
132. In a similar vein, the Inquiry has asked me whether I accept that innocent
mistakes can be made by persons using privileges to add or amend data in
branch accounts that would undermine the integrity of the latter without an
audit trail. Again, it is important to say that Fujitsu could only add new
transactions and data, not amend existing transactions and data. And again, I
accept that it is possible that innocent mistakes could be made when adding
transactions and data. However, I understood that there were written and
audited procedures (including, for example, the four eyes requirement) which
reduced that risk, both in Legacy Horizon and Horizon Online. I would have
expected that the underlying OCR, OCP and/or PEAK would have explained
why remote access had been used, what should have been injected and by
whom. They could be checked in the event of any dispute. The only
circumstances I can think of where there would be no audit trail at all to
demonstrate a mistake are (as above) if: (a) Fujitsu inadvertently injected, in
Page 41 of 101
WITNO00460400
WITNO00460400
Legacy Horizon, an incorrect transaction or data at the counter, and (b) Fujitsu
did not leave any special attributes in the raw audit data that would indicate
that the transaction or data had been injected remotely, and (c) Fujitsu did not
complete any of the relevant OCR, OCP and PEAK forms. Again, I have no
reason to think that these circumstances combined. I do not know whether
they ever did.
133. Finally, I have referred on a number of occasions to the fact that, when I
worked at Fujitsu, I understood that substantive remote access was very rare.
I have read the evidence given to the Inquiry by Richard Roll, which conveys
a different impression about the frequency with which the SSC used
substantive remote access (although I don’t think he suggests that it was ever
used for malicious purposes). I understand that Mr Roll worked in the SSC
between 2001 and 2004. I have also read the evidence given to the Inquiry by
Anne Chambers, who worked in the SSC between 2000 and 2016, and who
said that, in her experience, instances of “making a financial correction were
few and far between” [INQ00000981]. John Simpkins, who has worked in the
SSC (or its predecessor departments) since around 1996, told the Inquiry that
he had looked at the documentation retained by Fujitsu to record substantive
remote access and in 10 years he had found evidence of 28 “financial remote
changes”, and of these, he had only found one PEAK in which the SSC didn’t
notify the SPM about the changes [INQ00001115]. As I have said, I never
worked in the SSC and as such I never personally used substantive remote
access. What I can say is that Anne and John’s evidence to the Inquiry
accords with my own understanding, both at the time and now, about how
rarely, in practice, Fujitsu actually exercised substantive remote access.
What Second Sight and POL’s lawyers were told about remote access
134. As mentioned earlier in this witness statement, on 14 April 2014, Rodric
Williams (of POL) emailed James Davidson (of Fujitsu) with a list of questions
about substantive remote access [FUJ00087100]. One of the questions was
as follows:
Page 42 of 101
WITNO00460400
WITNO00460400
“Can Fujitsu change branch transaction data without a subpostmaster
being aware of the change?”
135. James Davidson emailed Fujitsu's responses back to Mr Williams on 17 April
2014 [POL00108538]. He explained that branch transaction data could not be
changed but additional transactions or data could be inserted. He explained
that if this was required, the additional transactions or data would be visible
on the trading statements but would not require acknowledgement/approval
by a subpostmaster, and that the approval would be given by POL via the
change process.
136. He also explained in relation to Old Horizon that: “a detailed examination of
archived data would have to be undertaken to look into this across the lifetime
of use. This would be a significant and complex exercise to undertake and
discussed previously with Post Office but discounted as too costly and
impractical.”
137. Shortly after that, I understand that Fujitsu provided information to Deloitte to
assist them with ‘Project Zebra’ and Deloitte produced a draft ‘Project Zebra’
paper on 23 May 2014 [POL00028062] and a POL board briefing paper on 4
June 2014 [POL00028069]. The latter made the point that:
“From the documentation we have reviewed, it appears that Horizon is
designed such that the Sub-postmaster has visibility of all centrally
generated transactions to their Branch ledgers in that accounting period.
Central transactions require Sub-postmaster approval to be
processed, except for Balancing Transaction postings. This
appears to be an exceptional process, performed only by Fujitsu,
and asserted by them to have only been used once (in 2010) between
2008 and the time of their assertion in this area (15 May 2014). Usage
pre 2008 is currently not known.”
138. I don’t know why there is a reference to 2008 in Deloitte’s report (this would
only make sense to me if it was a reference to 2010) but otherwise what they
Page 43 of 101
WITNO00460400
WITNO00460400
said in this paragraph was consistent with what Fujitsu had told POL on 17
April 2014 (see above).
139. My lawyers have also shown me an email exchange of 3 March 2015
[POL00312743] between Mr Williams and Mr Parsons about the witness
statement that I had given in the case of R v Wylie. Mr Williams asked Mr
Parsons if my statement was consistent with POL’s statements about remote
access. Mr Parsons replied as follows:
“Not quite — we say that transactions entered by SPMRs cannot be
edited but we don't go on to say that FJ can input new transactions in
exceptional circumstances. This information would therefore be entirely
new news to SS.”
140. Clearly I do not have the whole picture of what POL told Second Sight about
substantive remote access in 2014 and 2015, but looking at this email in
isolation, I don’t understand what Mr Parsons was suggesting. That Fujitsu
could inject transactions and data into live data was clearly understood by POL
and its lawyers (including Mr Parsons himself). Both Fujitsu and Deloitte had
told POL that in 2014. Both Fujitsu and Deloitte had explained to POL in 2014
that these injections did not require SPM approval.
The Deloitte Review
Rule 9(2) Request questions 206, 208 and 209
141. The Inquiry has asked me questions about the Deloitte Review, which I
understand was named Project Bramble. I retired from Fujitsu in early 2015
and I understand that POL appointed Deloitte at some point in 2017. I had no
involvement in their appointment, but I came out of retirement for a couple of
days to assist with the Deloitte Review given my historic knowledge of
Horizon.
Page 44 of 101
WITNO00460400
WITNO00460400
142. The Inquiry has asked me to describe the assistance I gave to Fujitsu, POL
and/or Deloitte in respect of Project Bramble. Based on the documents I have
seen, I believe that my assistance was limited to preparing and discussing a
draft paper called ‘Database Security in Horizon Online’. I understand that this
paper went through a number of versions which various people had input into.
I understood that the issues addressed in this paper were only one area
covered by Project Bramble. I don’t recall having any involvement in the other
areas Deloitte was asked to cover in Project Bramble.
143. At the outset, I should clarify that my paper was not about the type of
substantive remote access I have described above. It was not about the
injection of transactions or data in good faith in order to correct errors which,
if left uncorrected, would give a misleading view of branch accounts. My paper
considered the hypothetical possibility of malicious access by a user (in
particular so-called “Super Users” with privileged access) if they were
determined to inject incorrect information. The focus of the paper was whether
and how such a user might manipulate or tamper with live data in the small
window between (a) the data being input by the end user, and (b) the data
being committed to the audit server.
144. Looking at the email at [FUJ00194700], I believe it was Andy Thomas from
Fujitsu who briefed me and explained to me the topics that this paper was to
cover. Andy was a senior designer for Horizon Online particularly on the BAL
(which was the Data Centre component that the counter communicated with
and was responsible for writing to the BRDB). I understood that I was being
asked to prepare this paper in order to respond to questions Deloitte had
asked POL about the possibility of malicious access to Horizon data.
145. I will now set out, as best I can, how the paper (and my involvement in it)
evolved:
a. I believe the first draft of this paper was dated 9 March 2017, marked as
“version 0.1” [FUJ00087230]. The paper is called ‘Database Security in
Horizon Online’. Section 2 considered malicious access in Horizon
Page 45 of 101
WITNO00460400
WITNO00460400
Online and section 3 went on to consider malicious access in Legacy
Horizon. There is a lot of technical detail in the paper and it asks some
questions in relation to areas I felt needed to be covered by others still
working at Fujitsu. The main view I reached, as set out in section 1, was
that it would be almost impossible in practical terms for someone at
Fujitsu, if determined to act maliciously, to tamper with the data before it
was committed to the audit server. I formed this view following a number
of discussions with people still working at Fujitsu. I recall speaking to
Alan Holmes and Torstein Godeseth in particular. I understood that they
shared my view.
. I believe that the second draft of this paper was dated 14 March 2017,
marked as “version 0.2” [FUJ00087231]. I recall producing this second
draft having gone into Fujitsu’s office that day to speak to Jason Muir
and Torstein Godeseth about my first draft. The second draft
incorporates their responses (and those of others) to the questions I had
posed in my first draft and reflects their general feedback. The main view
remained unchanged, but there are, for example, new sentences on
pages 2 and 4, explaining that super users do not have access to audit
data and that elements of super user activities were audited. It also
contains a new section 4 explaining the SPM's perspective.
. I believe that the third draft of this paper was dated 22 March 2017, also
confusingly marked as “version 0.2” [FUJ00087232]. I believe this third
draft was produced by others (probably Torstein Godeseth and/or Pete
Newsome) without my involvement. I don’t recall seeing it at the time and
have seen no emails suggesting I did. Again, the main view remained
unchanged, but I can see that someone added an expanded introductory
paragraph which references the questions raised by Deloitte and that
section 4 was amended.
. My lawyers have shown me an email dated 28 March 2017 from Jonny
Gribben (who I understood to be a lawyer at Womble Bond Dickinson)
to Rodric Williams, which includes a draft email Jonny suggested should
Page 46 of 101
WITNO00460400
WITNO00460400
be sent to Chris Jay (Senior Counsel at Fujitsu), setting out questions
WBD had about my paper [POL00023442]. I don't have a specific
memory of seeing these questions, but I may have done because I
remember going into Fujitsu’s offices towards the end of March 2017 to
speak to Torstein Godeseth about POL’s feedback on the paper.
e. I believe that the fourth draft of my paper was dated 7 April 2017, marked
as “version 1.0” [FUJ00087234]. I believe this fourth draft was produced
by others (including Torstein Godeseth) without my involvement,
although some of the changes may well have been based on the
conversation I had had with Torstein at Fujitsu’s offices in late March
2017. I don't recall seeing this draft at the time and have seen no emails
suggesting I did.
f. I attended a conference call with representatives of Deloitte, POL and
Fujitsu on 11 May 2017, the agenda for which is set out in an email from
Lewis Keating of Deloitte at [FUJO00170288]. I don’t recall seeing this
email at the time (I am not copied into it) but I do have a vague memory
of the call itself and some of the discussion addressing Deloitte’s
questions.
146. After this call on 11 May 2017, I don’t believe I had any further involvement in
the work in Project Bramble. I haven’t seen any emails suggesting that I
commented on any drafts of the Project Bramble report that Deloitte produced
for POL. My lawyers have shown me a draft of this report dated 1 September
2017 [POL00030068]. Page 62 onwards sets out a record of the conference
callon 11 May 2017, including Fujitsu's answers to Deloitte’s questions. I have
looked at these answers and they seem to be accurate.
147. The Rule 9(2) Request has asked me to explain the sentence in my paper at
section 3.1 which says that “Node ID: [...] Counter Node Ids where between 1
and 31, and Correspondence Server Node Ids where between 32 and 63”.
This sentence is making the point that, where Fujitsu injected data at the
correspondence server in Legacy Horizon, the injected message would bear
Page 47 of 101
WITNO00460400
WITNO00460400
a Node ID of 32 or higher. This would show to anyone examining the counter
reports or audit data that Fujitsu had injected the data remotely, to distinguish
it from data inserted by an end user at the counter. Subsequently, at section
3.3, I noted that if a malicious super user wished to interfere with the branch
data, they would have to inject messages either at the correspondence server
or the counter.
148. The Inquiry has asked me to consider paragraphs 316 to 321 of the Horizon
Issues judgment [POL00112816] and has asked me whether relevant Fujitsu
employees could insert transaction data into the message store without the
entry showing a node ID of 32 or above. It was only in the preparations for the
civil proceedings in 2018-2019 that I came to have a clearer understanding
about remote access at the counter which is relevant to this question. I
address this below.
149. The Inquiry has asked me to explain whether the following sentence in my
paper was accurate: “An Audit Application [...] read every record that was
visible to the Correspondence Server [...] and wrote a text copy of that data
to a text file’. I confirm that this sentence was and remains accurate. I
designed that particular agent (the audit application) back in the late 1990s.
150. Finally, the Inquiry has asked me to explain the difference between (a) the
process for a person replacing the entire message log in Horizon Online, and
(b) the process for a person at Fujitsu inserting transactions into the BRDB.
I'm afraid I don’t understand this question but would be willing to try to answer
it if the Inquiry could explain the information it wants.
Reconciliation
Rule 9(2) Request question 210
151. The Inquiry has asked me some questions about a paper I wrote dated 9
August 2016 concerning reconciliation controls, which is at [FUJ00086810]. I
Page 48 of 101
WITNO00460400
WITNO00460400
recall that, just over a year after I retired from Fujitsu, I was asked to assist
POL with questions they had received from their auditors about mismatches
between the figures for cash holdings on their finance systems (POL SAP)
and the figures for the equivalent cash holdings on Horizon.
152. I recall having an initial meeting in London and then two trips to Chesterfield
to look at the data. I realised that the main cause of the mismatches were
transactions that were taking place ‘out of hours’ (i.e. between 7pm and
midnight), which were not picked up by POL SAP until the next day, whereas
they were picked up by Horizon contemporaneously. I produced my paper to
explore what could be done to improve the reconciliation of cash holdings
between POL SAP and Horizon. After I produced my paper, Pete Jobson took
over the work I had started and I had no further involvement in it (I understood
that Fujitsu had only asked me to assist in the first place because Pete was
on leave or very busy in July/August 2016).
153. The Inquiry has referred me to page 2 of my paper, which reads:
“If the values don’t match then this will require investigation by POL. I’m
concerned about introducing a further level of reconciliation and any
implications that may [put] on Fujitsu to investigate them. I suspect that
there are differences in some branches going back to operational issues
in the very early days of POLSAP and its predecessors. There has [not
been an] attempt at full reconciliation since the initial levels were loaded
back in 2004”.
154. The Inquiry has asked me to explain why full reconciliation had not been
attempted since 2004 and why I was concerned about the implications.
155. In 2004, Project Impact introduced a change by which the opening cash levels
(and the daily cash movements) for each branch were posted to POL SAP.
My concern was that if POL SAP had missed a branch's daily cash
movements, the figures as viewed by POL SAP and Horizon might not match.
After examining the figures, I quickly found that POL was not comparing like
Page 49 of 101
WITNO00460400
WITNO00460400
with like, because the POL SAP postings were ignoring ‘out of hours’ cash
movements, whereas Horizon took them into account. I assume (but cannot
be certain) that this was remedied by reconfiguring the report produced by
Horice from Horizon data to ignore these ‘out of hours’ cash movements (like
POL SAP did). Once this reconfiguration was done, most (if not all) of the
mismatches between POL SAP and Horizon fell away.
156. These mismatches did not have any effect on branch accounts because these
were always calculated every 24 hours at midnight using data held in BRDB,
ie. they were not subject to end of day variations between 7pm and midnight.
The Group Litigation
157. The Inquiry has asked me a number of questions about the Group Litigation
(GLO proceedings) brought by Mr Alan Bates and others against POL in 2018-
2019. I have found it difficult to respond to some of these questions. Trying to
reconstruct what happened with particular documents in the GLO proceedings
(including all of the track changes and comments made by numerous people
on different draft versions of them) is painstaking and extremely time-
consuming. I have tried therefore in this statement to focus upon what I think
are the main issues that the Inquiry is interested in as they relate to me.
158. At the time of writing there are some gaps in the disclosure which mean I don’t
have the full picture in front of me. I have not been able to piece together some
of the work that I did or understand whether and how it came to be used in the
GLO proceedings. There are details I have not been able to address. I am
aware that my lawyers wrote to the Inquiry to alert them to some of these gaps
in terms of what was on the Inquiry’s database and that the Inquiry has
uploaded further documents to the database in response. I understand though
that the Inquiry wishes to press ahead with obtaining statements whilst
disclosure is ongoing. I am not criticising the Inquiry for this. I am setting it out
to explain the approach I have taken and why I might need to add to this part
of my statement in the future.
Page 50 of 101
WITNO00460400
WITNO00460400
159. In terms of that approach, I have tried to focus on what I think are the
significant issues that the Inquiry would want me to address and to do my best
to provide answers about these issues but without trying to reconstruct all of
the email exchanges about them. Before turning to the Inquiry’s questions, I
have highlighted what I think are some overarching points.
160. First, when I assisted POL with the GLO proceedings, I wasn’t aware of what
Mr Clarke had said about me in his advice of 15 July 2013 or POL's criticisms
of my role in its prosecutions. I retired in early 2015. It was in late 2020, well
after the GLO proceedings had concluded, that I learned of what Mr Clarke
had advised about me. As I have said above, if anyone did speak to me (at
the time of the GLO proceedings) about my evidence in the criminal
proceedings, it was wholly unclear to me that it was because I had been
subject to the criticisms set out in Mr Clarke’s advice.
161. I do not understand why POL did not make these criticisms clear to me. They
appear to have kept this background from me whilst continuing to rely upon
me to provide information in the GLO proceedings. Had I known about these
criticisms in 2018-2019, I would have been surprised as I did not think I had
done anything wrong, and would have wanted to know more. I would also have
questioned why POL sought to rely on my input if they considered me to be
unreliable. I would have wanted to understand in more detail what had gone
wrong.
162. Second, it was POL's decision not to call me as a witness in the GLO
proceedings. I didn’t know that this was because of the Clarke advice or the
criticisms of me. I understood (because I was told) that POL did not want the
litigation to get side-tracked into a re-hearing of certain prosecutions,
especially Mrs Misra's case, if I gave evidence. Had POL asked me to give
evidence (and not told me about the Clarke advice), I would have done so.
163. Third, I was one of a number of Fujitsu employees (in my case I was the only
former employee) who assisted POL with technical input into the expert and
witness evidence. As I will explain, we generally provided this input
Page 51 of 101
WITNO00460400
WITNO00460400
collaboratively as a team. On a number of issues, others within this Fujitsu
team gave more input than me because they knew more about those issues
than I did.
164. Fourth, I had no influence over POL’s legal strategy. I did not ‘sign off on any
expert reports or witness statements. I did not review legal pleadings before
they were submitted or anything like that. Generally, I had little direct
interaction with POL’s lawyers. Whether and how they took any technical
information from me or others on board was a matter for them. It never
occurred to me to question their strategy or whether they were acting
professionally. I took that as a given. I did not attend any of the court hearings.
165. Fifth, my concern throughout the GLO proceedings was ensuring that the
information I provided was accurate and, where available, supported by the
data I had reviewed. That included information which I knew might be
unhelpful to POL (or indeed Fujitsu). I give some examples of this later in this
statement.
166. Sixth, I made hundreds of comments (as did my colleagues), and produced
very many notes, over a number of months throughout the GLO proceedings.
These were written without knowing what POL’s legal strategy was. Many
were written under considerable time pressure. Some were written before my
technical understanding of particular issues developed. Some were informal
and shorthand in nature because the intended audience was my former
colleagues in Fujitsu. Equally, they would comment on the same documents
or provide additional information or answer queries raised in comments. I
would ask the Inquiry to bear this context in mind when they have singled out
particular comments I made (from a vast number of other comments) and
asked for my explanation of them but in isolation.
167. Seventh, and finally, I have read the Horizon Issues Judgment of Mr Justice
Fraser together with its Technical Appendix. I have reflected on the Judge’s
findings and criticisms. Some of those criticisms were directed at me. I had no
opportunity to respond to these criticisms at the time of the GLO proceedings
Page 52 of 101
WITNO00460400
WITNO00460400
because POL did not call me as witness (and I had no idea prior to the
Judgment being handed down that I might be singled out for any criticism). I
have responded to those criticisms taking them in the order in which they
appear in the Horizon Issues Judgment and Technical Appendix.
168. At paragraph 229(1) of the Horizon Issues Judgment, the Judge criticised the
explanation I had given to Helen Rose in 2012 (in respect of the Horizon-
generated reversals at Lepton branch experienced by Mr Armstrong) that “the
system had behaved as it should”. I think that the fuller picture I provided to
Second Sight several months later (as described in paragraphs 34 to 48 of
this statement) gives more detail as to why Horizon Online has acted as
designed (including the information which the system generated to indicate
that the transaction had not gone through). That was also Second Sight’s
conclusion (albeit they criticised the timing of the receipts). Any system needs
to have a process for dealing with transactions that are not successfully
processed and therefore unable to be committed to the Data Centre.
169. At paragraph 229(2) of the Horizon Issues Judgment, the Judge criticised me
for the statement, in relation to the Horizon-generated reversal at Lepton
branch, that “/ do not see the scenario occurring regularly and creating large
losses.” In fact that statement was made by Helen Rose (in her report to
Angela van den Bogerd). The Judge seems to have made an error in
attributing it to me.
170. At paragraphs 315-317 of the Horizon Issues judgment, the Judge stated that
Torstein Godeseth:
“[...] had given information in his first witness statement, namely that in
Legacy Horizon, any transactions injected by SSC would have used the
computer server address as the counter position which would be a
number greater than 32, so it would be clear that a transaction had been
injected in this way by someone other than the SPM. This is important
because it would be consistent with the case originally advanced by the
Post Office that any such injections would be entirely visible as having
Page 53 of 101
WITNO00460400
WITNO00460400
been done externally (i.e. not within the branch) due to the counter
number used. However, this important information was simply incorrect,
and was corrected both by Mr Godeseth and Mr Parker in subsequent
statements before they were called, and as a direct result of Mr Roll’s
evidence. The information that was incorrect, and therefore had to be
corrected, had come directly from Mr Jenkins. This shows that Mr
Jenkins did, in at least one very important respect, give Mr Godeseth
directly incorrect information about the visibility of injected transactions,
which not only could have an effect on branch accounts, and whether
this would show (or rather, not show) that the impact on those accounts
had come from injections made outside the branch.”
171. I had (in a comment on his draft first statement) inadvertently given incorrect
information to Mr Godeseth. At the time, however, I thought this information
was correct. I gave this incorrect information on 21 September 2018, when I
commented that any transactions or data remotely inserted by the SSC into
Legacy Horizon had been done at the correspondence server (rather than the
counter) and would therefore have generated a Node ID of 32 or higher
[FUJ00159545].
172. Between giving this information to Mr Godeseth on 21 September 2018 and
13 October 2018, I learned that I was wrong. At some point in these 3-4 weeks,
having read the first statement of Richard Roll, I spoke to former colleagues
in the SSC (such as John Simpkins) about what Mr Roll had said in his
statement. I was informed that there were very rare occasions when the SSC
had injected transactions or data directly at the counter in Legacy Horizon (and
therefore that the possibility of the use of a node less than 32 arose). As I will
explain, I corrected my misunderstanding in a note dated 13 October 2018
[FUJ00181504]. This was a genuine error on my part. It is apparent that others
at Fujitsu had also genuinely misunderstood the position (including Mr
Godeseth himself). As I will explain, on realising my mistake (and having taken
steps to check what Mr Rolls was saying), I made it clear that POL should
correct it so that the court was not misled.
Page 54 of 101
WITNO00460400
WITNO00460400
173. At paragraph 417 of the Horizon Issues Judgment, the Judge criticised an
email I sent on 8 March 2010 to Professor Charles MacLachlan (in the course
of the prosecution of Mrs Seema Misra) about the Callendar Square bug. The
Judge said that:
“This email does not provide anywhere near the same degree of
information about the Callendar Square bug as was available at the time
of the Horizon Issues trial, or as recorded in the PEAKs above. There
has obviously been further investigation at Fujitsu into this specific issue
since then, as made clear by Mr Godeseth’s evidence about the
information coming from Mr Lenton and Ms Anne Chambers. The email
does not use the term “software bug”. It does not refer to the fact that it
is accepted by Fujitsu, following an investigation, that the admitted bug
had affected at least 30 branches. Nor does it refer to the fact that the
Callendar Square bug caused mismatches at 19 of those 30 branches.”
174. As I explained at paragraph 429 of my third witness statement to the Inquiry
[WITN00460300], my email of 8 March 2010 was based on information I had
obtained initially from Anne Chambers. The Inquiry will recall that Anne had
forwarded an email to me about the Callendar Square bug because I didn’t
know about it at the time. I checked with Anne that what I said in the email to
Professor McLachlan was correct. That email was not intended to be a
comprehensive account of the bug. I gave more detailed written and oral
evidence about the bug in connection with Mrs Misra’s case throughout 2010.
As the Inquiry is aware, I provided Professor McLachlan with the relevant
PEAK when I met him at court. I was cross-examined at Mrs Misra’s trial about
it. I assume that the Judge did not have any of this documentation available
to him.
175. At paragraph 510 of the Horizon Issues Judgment, the Judge seems to have
been critical of how closely I was involved in the GLO proceedings, including
in this instance by correcting Mr Godeseth’s evidence that there were 62 (not
60) branches affected by the Receipts and Payments Mismatch bug. When I
reviewed Mr Godeseth’s draft second statement, he had written that this bug
Page 55 of 101
WITNO00460400
WITNO00460400
had affected “approximately 60” branches. This was accurate because of the
word “approximately” so I did not correct him. In the signed version of this
statement dated 16 November 2018 [FUJ00082234], however, the word
“approximately” was missing (at paragraph 42), giving the misleading
impression that 60 was the definitive number of affected branches. I only
spotted this change when reading Mr Godeseth’s second statement after it
had been served. I brought the error to his attention before he gave oral
evidence as I knew (and had always known) that the precise number was in
fact 62.
176. At paragraph 513(4) of the Horizon Issues Judgment, the Judge criticised POL
(and perhaps by implication me) for the reason they had given for not calling
me as a witness, finding that it was “not a valid reason”. I did not know what
reasons POL had given the court for not calling me as a witness.
177. At paragraph 880 of the Horizon Issues Judgment, the Judge criticised POL
and Dr Robert Worden, the expert witness relied upon by POL (and again,
perhaps by implication me) for the fact that Dr Worden had not mentioned me
in the section of his expert report listing the “sources of information” he had
consulted: “The involvement of Mr Jenkins in this explanation in his report was
simply hidden.” It was not my decision what sources of information Dr Worden
listed in his report. I would have assumed that Dr Worden was being guided
by POL’s lawyers in this respect. I had given technical information to Dr
Worden (via POL’s lawyers) so I am unable to explain why he did not list me
as one of his sources of information if he was obliged to do that.
178. At paragraph 159 of the Technical Appendix, the Judge criticised me for a
written note I had drafted in 2013 about the Suspense Account bug, stating
that:
“It is somewhat disingenuous, in my judgment, for Mr Jenkins in this note
effectively to blame others (which appear to include SPMs and the Post
Office), rather than Fujitsu, for this problem not becoming known about
until some years later.”
Page 56 of 101
WITNO00460400
WITNO00460400
179. My paper did not intend to “blame” anyone for the Suspense Account bug,
least of all the SPMs. The reality, however, was that POL had delayed in
informing Fujitsu about the bug. I accept that Fujitsu also bore responsibility
for failing to detect the bug sooner, but if Fujitsu had been alerted at the time
POL became aware of it, then steps could have been taken to remedy the
problem sooner.
General
Rule 9(2) Request questions 211 - 213
180. The Rule 9(2) Request asks me when I first heard about the GLO proceedings.
I am struggling to recall when I actually became aware of the GLO proceedings
as distinct from other matters such as the Mediation Scheme and Project
Bramble. However, I don’t think I had a significant level of involvement in the
GLO proceedings prior to May or June 2018. I recall being told by Pete
Newsome that I might be asked to work on a more regular/scheduled basis.
This correlates with an email I have seen dated 13 June 2018 at
[FUJ00222893], in which Steve Evans asked Pete Newsome (and others)
whether I should be “called in” to assist with responding to requests for
information from Jason Coyne. I think that led to my contributing to a document
entitled “Response to Information Requests from Jason Coyne”
[FUJ00087274].
181. The Rule 9(2) Request asks me to explain (in overview terms) the nature and
extent of the assistance I gave to POL in relation to the GLO proceedings, and
the information to which I was given access to provide this assistance. In
summary, I worked collaboratively with (then) current employees of Fujitsu, in
particular John Simpkins, Steve Parker and Torstein Godeseth (as well as
others on occasion such as Alan Holmes, Mark Wright and Gareth
Seemungal) to provide technical information to POL and its lawyers, Womble
Bond Dickinson (WBD). We gave this technical information in relation to those
Page 57 of 101
WITNO00460400
WITNO00460400
parts of the expert and witness evidence which WBD asked us to assist with.
In general terms that information could be divided as follows:
a. Commenting on witness statements and expert reports (such as Charles
McLachlan, lan Henderson, Richard Roll and Jason Coyne) served by
the claimants.
b. Producing analysis of data (raw audit data, ARQ extracts, PEAKs, KELs
and filtered NT event logs) relevant to the witness statements of SPMs
served by the claimants.
c. Commenting on the expert report of Dr Robert Worden (the expert
instructed by POL).
d. Preparing a technical analysis of the BEDs identified by the claimants’
expert Jason Coyne and POL’s expert Dr Robert Worden.
e. Responding to ad hoc questions from POL’s lawyers about discrete
technical issues.
182. It would have been impossible for one person in Fujitsu to have been solely
responsible for providing all of this input given its scale and the various types
of technical expertise required.
183. I had also expected to provide a witness statement in the proceedings (an
updated, general statement providing an overview of Horizon) but I was told
that I did not need to finalise this.
184. The Rule 9(2) Request asks me to explain how I was remunerated for this
assistance. I retired from Fujitsu at the end of February 2015 but was retained
by them on a consultancy basis until August 2022. I was paid a quarterly
retainer fee from March 2015 to September 2018 of £500 (i.e. £2,000 per
year), which increased to £550 from October 2018 to August 2022. I was also
paid a daily rate of £589 (approximately £80 per hour) for specific work which
Page 58 of 101
WITNO00460400
WITNO00460400
stayed the same throughout this whole period. I issued invoices to Fujitsu at
the end of a week when I had carried out work for them. I was not paid any
special rate for my work on the GLO proceedings and it was treated like any
of my other consultancy work for Fujitsu.
185. The Rule 9(2) Request asks me how often I had meetings with POL’s
representatives to provide my assistance. The vast majority of my
communications on the GLO proceedings were with Fujitsu employees who I
was working with to provide our technical input. Correspondence with POL’s
representatives was generally as a group, through Pete Newsome, Matthew
Lenton or Dave Ibbett, who I understand were coordinating Fujitsu's
assistance. We would sometimes have in-person meetings but would largely
correspond by email or on conference calls. Approximately once or twice a
month I would attend a conference call (by telephone and never or very rarely
in person as far as I can recall) with POL’s lawyers to respond to queries which
had emerged during their work. The principal POL representative who liaised
with us was Jonny Gribben at WBD.
186. The Rule 9(2) Request asks me what my view was of POL’s strategy in
responding to the allegations of BEDs raised in the GLO proceedings. I don’t
think that I had any visibility of POL’s overall strategy nor what WBD was trying
to achieve through their requests of Fujitsu. All I understood was that I should
provide technical information, alongside others, to the best of my knowledge
and ability, in response to the documents and questions sent to us by WBD.
Where I could not answer questions, I tried to assist WBD by directing them
to the most appropriate person or department within Fujitsu. I am not aware
of having received any submissions or pleadings or anything like that prior to
them being served at court. I vaguely remember being provided with a copy
of POL’s final opening and closing submissions after they had been served on
the court and the claimants.
187. I saw my role as providing technical information to WBD about the matters
they sought my assistance with. I took this task seriously and I was concerned
to provide accurate information, guided by the data where it was available,
Page 59 of 101
WITNO00460400
WITNO00460400
regardless of whether that information might be helpful or unhelpful to POL.
As a result of this work, I became aware of information (including about the
impact of certain BEDs and the nature of substantive remote access in Legacy
Horizon) which I hadn’t previously known or been engaged with. I passed what
I learnt to Fujitsu and POL’s lawyers. Once I had done this, I assumed that
POL’s lawyers would have incorporated it into POL’s evidence or disclosed it
to the claimants and the court as they saw fit.
188. I was not involved in any strategic decisions taken about witnesses. I have
seen an email [POL00042057] in which lawyers from POL and WBD
discussed strategy in relation to the nine witness statements recently served
by the claimants. In relation to the witness statement of Professor McLachlan,
there is a suggestion in an email from Andrew Parsons of WBD that they were
considering an application to strike out his evidence because he was “close to
re-opening points from Misra” and because he was purporting to be an
“additional expert”. These were not the sort of discussions that I, and insofar
as I know, my colleagues in Fujitsu were involved in. I hadn’t seen this sort of
correspondence until I was shown it by my lawyers in preparation for this
Inquiry.
189. The Rule 9(2) Request has asked me to describe any contact I had with SPMs
during the GLO proceedings and refers to the email chain at [FUJ00159667].
This email chain has nothing to do with me. I am not on LinkedIn and was
never contacted by Freeths (the lawyers for the claimants). As the email chain
states, there was another individual named Gareth Jenkins (“infrastructure
Gareth”) within Fujitsu who was an architect based within the London office
(see email signature on the first email within the chain). He also worked on the
Post Office Account. I have never had any contact with SPMs. If I had been
so contacted, I would have approached it in the same way that the other
Gareth Jenkins did in this email chain, and referred it to the Fujitsu legal team
for guidance.
Page 60 of 101
WITNO00460400
WITNO00460400
Horizon Issues
Rule 9(2) Request Question 214
190. The Inquiry has asked me to comment on what was discussed at a meeting
with POL which took place in August 2018, and why I was asked to comment
on a paper outlining certain ‘Horizon Issues’.
191. I think that this meeting was held at Fujitsu’s Bracknell office on 28 August
2018 and was a conference/Skype call with Jonny Gribben of WBD rather than
a meeting in person but I cannot be absolutely sure. Beyond recalling that a
meeting took place, I cannot remember much of what was discussed.
192. I have reviewed [FUJ00159300] (the meeting invitation), [FUJ00159312] (a
covering email of 28 August 2018 from Dave Ibbett attaching the ‘Horizon
Issues’ paper) and [FUJ00159313] (the attachment to the email).
193. I assume I was asked to comment on the ‘Horizon Issues’ paper because I
had a good knowledge of both iterations of Horizon. I could speak with
authority about the technical areas within my experience and knew who was
best placed to deal with issues I could not. However, with the scale of a system
like Horizon, it would have been impossible for one person to have visibility of
everything that arose over two decades, including every BED. That is why it
took a team of people from across Fujitsu to provide the answers required by
POL. I think that I would have provided comments on the paper as preliminary
thoughts for the purposes of internal discussion at the meeting on 28 August
2018.
194. The note contains the following comment by me: “When bugs were found that
affected the accounts, then the scope and impact of those was followed
through. The sort of losses related to the bugs was generally small, while the
losses made by the claimants was generally much larger” [FUJ00159313].
Page 61 of 101
WITNO00460400
WITNO00460400
The Inquiry has asked me to explain the basis on which I made the comment
(and others the Inquiry says are “like it”), when I was not familiar with all of the
KELs referred to in the note. In general terms, my understanding at the time
was that the losses caused by BEDs which I was aware of were significantly
smaller on average than the amounts being claimed by the SPMs. Clearly this
was at an early stage and my colleagues and I went on to do further work and
analysis touching upon the issues set out in this paper.
Assistance with expert evidence
Rule 9(2) Request questions 215 - 216
Dr Worden (question 215)
195. I have been asked to consider documents relating to Dr Worden’s reports and
to comment on the nature and extent of my advice or assistance to him. Dr
Worden was an expert instructed by POL in the GLO proceedings. To the best
of my recollection I did not meet Dr Worden in person nor did we send any
emails to each other. I can see that a conference call invite for 9 May 2018
was sent to me by Lucy Bremner on 8 May 2018 and Dr Worden is included
as an invitee [POL00133591]. I have no recollection of this call at all. If it took
place, I don’t think I would have understood at that stage that it was in
connection with the GLO proceedings.
196. My feedback on Dr Worden’s draft reports was fed into the Fujitsu group, with
Torstein Godeseth and me taking the lead. Generally we would receive a draft
of his report from WBD and one of us would make the first tranche of
comments. Then the other would review the annotated report and would add
further comments. I don’t believe there was any particular strategy for this; it
was simply a matter of who had availability to conduct a first review. I recall
one occasion when we had a very tight deadline set by WBD and Torstein and
Page 62 of 101
WITNO00460400
WITNO00460400
I sat down together to discuss our thoughts. This was not my preferred way of
working. I liked to sit with the report myself and commit my comments to writing
for others to consider.
197. I think I was provided with a draft of Dr Worden’s ‘Foundation Report’
[FUJ00081969] and his ‘Quantitative Approaches to Horizon Bugs’ report’
[FUJ00081968] in early July 2018. I see from the emails that Torstein sent a
copy of Dr Worden’s draft reports with his and my comments back to WBD on
13 July 2018 [FUJ00081967].
198. At paragraph 28 of his draft Foundation Report, Dr Worden stated that he
invited comments from Fujitsu “to correct any misunderstandings about
Horizon, to point us towards documents which may help to improve our
material, and to point out any other aspects of Horizon or the ways in which
they have developed and support it, which may help the court form an accurate
impression and reach the correct decision” [FUJ00179022]. I tried to follow
that indication and my comments were aimed at technical clarifications, as
well as suggestions for further work. For example, at paragraph 37, Dr Worden
had mistakenly claimed that Horizon Online had involved a complete
replacement of branch hardware, which was technically incorrect. That
change only happened with the later version of Horizon Online (HNG-A). The
Inquiry has not asked me about any particular comments I made on the draft
Foundation Report but I am happy to respond to any if that would be helpful.
199. I was provided with the draft of Dr Worden’s first report (version 68)
[FUJ00083981] on or around 26 November 2018. Torstein and I provided
comments shortly after that [FUJ00223931]. Again, the Inquiry has not asked
me about any particular comments I made but I am happy to respond to any
if that would be helpful.
200. I did not see it as my role to strengthen Dr Worden’s draft report or only point
out positive things about Horizon. Rather, it was to assist with his having
accurate technical information. Whether Dr Worden took account of my
comments was a matter for him.
Page 63 of 101
WITNO00460400
WITNO00460400
201. At paragraph 529 of his draft report, for example, Dr Worden states that “This
is consistent with the position that prior to July 2017 Reference Data could be
changed without any formal consideration as to what the impact might be.”
This corresponds to the comments box, where I said “/ don’t believe this to be
true. Ref data was always validated by both POL / ATOS and Fujitsu before
being released” [FUJ00083961]. Torstein then provided a_ possible
explanation in his comments. Dr Worden maintained his position in the final
report. This is an example of the type of dialogue my colleagues and I had
about some of the points raised but also indicates that Dr Worden was
independent of us and that it was a matter for him what information he
accepted.
202. At paragraph 907, Dr Worden stated that “Any anomaly reported by an SPM
which had the potential to affect branch accounts would, with fairly high
probability, result in a KEL and an investigation by Fujitsu.” Given what I knew
by that time about the experience of SPMs, and having explored more KELs
and PEAKs than I had previously been aware of, I was not comfortable with
the impression given by Dr Worden that there would probably have been an
investigation in all such cases. My corresponding comment was that:
“This may be harder to prove. Some of the WSs I have read show that
SPMRs have phoned NBSC and not really been helped (and in some
cases the advice made things worse). Also in some of these cases there
is no record of the call being passed to Fujitsu. The common these [sic]
seems to be “I was told by the Help desk that it was my problem”. Not
sure how you can counter that argument, but I would expect the
prosecution to raise that point. NB I’m not saying that these weren't the
fault of the SPMR, but I think it does show that not everything was
investigated” [FUJ00083961].
203. I made this comment because the impression I had formed at the time was
that the NBSC had given positively unhelpful or misleading advice to a number
Page 64 of 101
WITNO00460400
WITNO00460400
of the claimants who had provided witness statements in the GLO
proceedings. I recall being concerned that many of the problems experienced
in the branch may have been caused or exacerbated by this advice. This was
not something I had really considered prior to the GLO proceedings. Having
listened to some of the evidence given in this Inquiry, the concerns I began to
have in 2018-2019 about the competency of the NBSC have only increased.
204. At paragraph 957, Dr Worden produced a table of sample KELs which he
considered showed problems affecting branch accounts. In my comments, I
suggested a further KEL which needed to be added (acha621P) as “The
impact was fairly obvious, but could cause a significant impact on accounts if
the SPMR wasn't careful’ [FUJ00083961]. I was suggesting that this KEL be
added so that Dr Worden could provide the court with a more accurate or
complete picture of problems that could have affected branch accounts.
205. At paragraph 1397, I felt it was important to correct a misconception on the
part of Dr Worden which related to changes made to transaction data. In my
comments I referred to there being a case (which I thought was that of Ms Dar,
one of the SPM claimants whose witness statement I had reviewed) where
errors had been made by a POL employee when setting up the branch. This
had caused discrepancies for which the SPM had been charged. I passed
information about this issue to Fujitsu, but I am not aware whether it was ever
disclosed (either to POL or WBD or by POL to the Court).
206. I also provided comments on the Appendix to Dr Worden’s draft report
between 30 November 2018 and 2 December 2018 [FUJ00082226]. Again, I
saw my role as providing technical information and correcting Dr Worden in
an objective way.
207. For example, in his analysis of acha621P on page 67, Dr Worden had stated
that “this is a case where Horizon allowed a user to make an error remming in
cash.” I felt that this characterisation of the problem was unfair on the branch
user and failed to acknowledge that a BED had caused the problem. I
therefore commented [FUJ00082226]: “NO. There was a bug in Horizon that
Page 65 of 101
WITNO00460400
WITNO00460400
resulted in the rem process being accidently [sic] repeated. This is the
Dalmellington issue which has been discussed elsewhere at length.”
208. The Inquiry has asked me to comment on what I thought generally about Dr
Worden’s methodology. I recall being interested in Dr Worden’s approach
when I read his reports. I was impressed with his ‘quantitative approach’. I felt
that it correlated with my overall conclusion; that although Horizon did have
BEDs that had affected branch accounts, these BEDs could not explain the
quantum of losses experienced by the claimants.
209. The Inquiry has also asked me to comment on whether I thought that Dr
Worden approached his task as an expert witness appropriately. I do not feel
able to comment on this. In the drafts I looked at, he seemed to take some of
Fujitsu’s feedback on board, but equally he appeared to disregard other
comments. From this I concluded that he was exercising an objective
judgement, but I was not involved in his processes nor in helping him to draft
his reports. Once I had sent my comments back to Fujitsu I had no input into
or influence over how they were ultimately used.
210. I note that Mr Justice Fraser, in the Horizon Issues Judgment, was critical of
Dr Worden as an expert and found that he relied “heavily” on me as a source
of information. I do not think this is accurate or fair to either Dr Worden or me.
I provided feedback on his draft reports where it was asked for, but (a) it was
typically in response to work already conducted by Dr Worden which pre-dated
any invitation for my input, and (b) I was one of a number of people who gave
feedback. I had no hand in determining how Dr Worden should carry out his
work, nor in designing his methodology. As I have explained earlier in this
statement, I gave no thought to whether or not Dr Worden would name me in
his report as a source of information. I certainly would have had no objection
to being named. I did not consider my input needed to be hidden in any way.
Jason Coyne (question 216)
Page 66 of 101
WITNO00460400
WITNO00460400
211. I have been asked to comment on the nature and extent of work carried out in
assisting POL to respond to the evidence of Jason Coyne. I read and
commented on his first and second reports, as did others at Fujitsu. I do not
recall receiving his third report. Most of my work concerning Mr Coyne’s
reports was in the analysis of BEDs identified by him. The initial analysis was
conducted in November 2018 and the result of it appears in the appendix to
Steve Parker's second witness statement. The further (more detailed) work
was ongoing from November to February 2019, to complete the “22 bugs”
papers which were provided to POL.
212. I have been asked whether Mr Coyne’s report (in the singular) made me
change my opinions in respect of the robustness and integrity of the Horizon
IT system. I don’t know which of his reports the Inquiry is referring to, but in
terms of the two I reviewed, I can say that whilst I respected Mr Coyne’s
expertise and engaged with the detail of both reports I read, they contained
factual analysis and conclusions I disagreed with. I remained confident, having
read them, that Horizon overall (whilst obviously not infallible) was robust. In
general terms, any comments I provided on Mr Coyne’s reports reflected those
points which I felt were incorrect, or which I didn’t have enough information
about, or which I considered required further examination. I did not comment
on any assertions or opinion which I agreed with as it would have served little
to no purpose.
213. As identified by the Inquiry, some of my comments on Mr Coyne’s reports
demonstrate my confidence that Fujitsu’s support services could identify and
rectify BEDs and their symptoms. This was based upon my experience of how
Fujitsu historically identified and managed the impact of BEDs within the
system. As the Inquiry is aware, I have reflected upon this, having read far
more material in the course of the Inquiry and noted in paragraph 82 of my
second witness statement to the Inquiry [WITN00460200] that it reflected
poorly on Fujitsu that it took so long for the Callendar Square bug to be fixed.
214.1 have been asked about my comments on Mr Coyne’s first report
[POL00029050]. These comments were reflective of an initial and relatively
Page 67 of 101
WITNO00460400
WITNO00460400
quick, high-level review. I think they were somewhat different from my
comments on Dr Worden’s draft report for the simple reason that I knew I was
not providing feedback to Mr Coyne. As a result, my comments were a bit
more informal in tone, intended for consideration by others within Fujitsu,
particularly John Simpkins of the SSC, and potentially for WBD to take into
account. Many of my comments would have been aimed at flagging to others
within the team with more specialist knowledge that they would need to
confirm whether the problem identified by Mr Coyne had been fixed, or to
suggest that they needed to do some further digging into a point. In many
cases I would make a quick comment on a KEL, and John Simpkins would
then expand on it as part of his analysis of the underlying PEAKs.
215. The Inquiry has asked me to address certain specific comments that I made
on Mr Coyne’s first report, which I take in turn below [FUJ00183797]:
a. I have been asked about the following comment which I made on
paragraph 3.6: “Clearly publishing unresolved defects is asking people
to exploit them and so not a good idea. Publishing resolved defects may
be taken as implying that the system has issues and reduce confidence
in it.” This was in response to Mr Coyne’s conclusion that “there do not
appear to be notifications issued either by Horizon or by Fujitsu or Post
Office where known bugs and defects have been discovered. The
exception may be in relation to the Suspense account issue where Post
Office say that Subpostmasters were notified, although how they were
notified has not been disclosed.” As a general point, it was not my
decision as to what was notified to SPMs and my comment was prefaced
that this was really “POL’s responsibility”. My comment was about
publication generally to the POL estate rather than notifying the
existence of relevant BEDs to specific affected SPMs. I could see that
publishing a list of live vulnerabilities in the system could be open to
exploitation, and publication of a list of historic issues might be capable
of reducing confidence without us being able to put the issues in context
or explaining why technically it should not undermine confidence.
Page 68 of 101
WITNO00460400
WITNO00460400
b. My comment “If it had affected the accounts, we would have done
something about it” appears on paragraph 5.22. This was in response to
Mr Coyne’s analysis of KEL acha1717T, which he had included in a list
of KELs documenting “varying forms of cash declaration discrepancies.”
I was therefore checking to see whether these KELs demonstrated any
impact on branch accounts and had found that most did not. The first
(KEL acha1233J) simply affected administrative cash planning. The
second (KEL acha1717T) looked similar and I therefore said “Not sure
about this one. (I don’t specifically remember it). However, again it
sounds like an issue that affects just cash planning and not the accounts.
If it had affected the accounts, we would have done something about it.”
My indication that this KEL was outside my knowledge clearly prompted
John Simpkins to also review and add his thoughts on the KEL
[FUJ00183797]. My comment reflected my general understanding that
where Fujitsu identified an issue that affected branch accounts, it took
this very seriously and took action.
c. At paragraph 5.56, I respond to Mr Coyne’s analysis of KEL
CObeng1123Q and the unexplained gains caused by suspected system
memory issues. I state “Old Horizon, so clearly not an issue now.” I
cannot recall exactly what I was getting at by this comment, but I made
a similar comment on paragraph 3.8 and it may have been the case that,
at this stage, I was simply making an observation (for the benefit of
WBD) that this issue was irrelevant to Horizon Online (i.e. not an issue
which could affect the current system in place).
d. My phrasing of “presumably resolved” appears on paragraph 5.92. This
refers to failed recovery scripts, which I think was an issue arising after I
had retired. For that reason I could not say from personal knowledge
whether they were resolved or not (hence “presumably’). AllI could say,
looking at the issue, is that I would have expected them to be resolved
and that they were the sort of issue which would have been. The problem
was rooted in the fact that POL had decided to exploit Horizon’s scripting
facilities for increasingly complex transactions towards the end of my
Page 69 of 101
WITNO00460400
WITNO00460400
time at Fujitsu. However, they did not have the systems experience to
consider all relevant failure points and to construct suitable recovery
scripts should a failure occur. I was aware of this happening in 2015, and
I spent time in my last few months checking their recovery scripts and
pointing out flaws in them. I do not know if anybody picked up this work
after I retired.
. At paragraph 5.103, I made the comment “WE ned to kill this one!” What
I meant by this is that we needed, as a matter of great importance, to
correct the general statement made by Mr Coyne that “the apparent
ability prior to July 2017 to alter Reference Data without any formal
consideration as to the impact of this change could have had a
potentially very significant effect upon Horizon’s reliability and
robustness.” This was, in my view, factually wrong as far as Fujitsu was
concerned and undeservedly damaging, which is why my comment was
emphatic. I thought that it needed to be urgently corrected (via Fujitsu’s
evidence) in order that the court was not misled. I note that John
Simpkins agreed with me [FUJ00183797]. There was a joint POL/Fujitsu
team (the Reference Data Team) whose entire working lives were
dedicated to testing reference data before it ever went live. This included
the creation of testing rigs which were future dated (I think by around 10
weeks) and ran according to the new reference data to check its ability
to cope in the live environment. I believe the POL members of that team
relocated from Farnborough to Bracknell in the mid-2000s so that they
could communicate more closely. I think that the head of that team was
Andy Corbert. I also recall that the whole team at some point moved
floors to be closer to the SSC. I note that, at paragraph 54 of the Judge’s
Technical Appendix, he agreed that Mr Coyne was likely “reading too
much” into the document he had reviewed from July 2017 which was
informing that conclusion.
At paragraph 5.112 and 5.113, I make the following comments, which I
think reflect my general position both then and now:
Page 70 of 101
WITNO00460400
WITNO00460400
[5.112] “We have never said [the software is bug-free nor its
accounts free from errors.] What we are saying is that when errors
occur we detect them and can fix them and so they don't result in
SPMRs losing large amounts of money (which is what some are
alleging).”
216. My overarching point in these paragraphs is as expressed above. Generally,
BEDs (to my knowledge) caused losses which were comparatively smaller
than the large amounts claimed by the claimants. Bugs causing a small loss
could have gone undetected, but I would have expected significant losses of
the order being claimed to have been picked up. There were a number of ways
in which a bug causing a large loss could come to light. From my experience,
Fujitsu was alerted to such bugs through its own alerts and surveillance, or
because an SPM reported issues which were then investigated or because
POL identified and raised the bugs as an issue.
Assistance with Fujitsu evidence
Rule 9(2) Request questions 217-228
217. The Inquiry has asked me to consider some emails and attachments which all
relate to my assistance in the preparation of witness evidence submitted by
Torstein Godeseth and Stephen Parker.
218. I provided comments on drafts of their statements which had already been
prepared, I assumed by WBD. I had no hand in the drafting process itself.
Principally I would communicate with Torstein, Steve and others via email, and
via my comments in track changes/comments boxes on the drafts. I was one
of a number of Fujitsu people who commented on their statements.
219. I have been asked by the Inquiry why I was not the person selected to give
evidence. To begin with, I thought I was going to be a witness but I was told
Page 71 of 101
WITNO00460400
WITNO00460400
by POL’s lawyers that I wouldn’t be because they did not want the Fujitsu
evidence to become side-tracked into discussions about the prosecution of
SPMs given my historic involvement. I took that explanation at face value.
220. I have been asked by the Inquiry whether I told POL or Fujitsu that I would
exercise the privilege against self-incrimination if called to give evidence in the
GLO proceedings. I didn’t tell POL or Fujitsu that I would exercise the right to
self-incrimination if called as a witness. If I had been called, I would have been
quite prepared to give evidence to the best of my ability. During the GLO
proceedings I did not have independent legal advice. I did not know what the
privilege against self-incrimination was.
Torstein Godeseth (questions 221-223)
221. I have been asked by the Inquiry to consider some emails concerning my
assistance with the preparation of Torstein Godeseth’s witness statements in
the GLO proceedings. As noted above, most of my assistance was via
comments included in drafts of his statements I emailed to him. I did not have
a huge amount of in-person communication with Torstein at this time. I was
working on an ad hoc basis, and I think he had reduced his working time to
three days per week. In addition, around the time of the submission of his first
witness statement, I think he was away in Japan for three or four weeks.
222. I was provided with a copy of Torstein’s first draft statement on 20 September
2018 via email from Matthew Lenton addressed to me, Alan Holmes and
Gareth Seemungal [FUJ00179314]. All three of us were asked to review it and
“provide any feedback / clarifications.” There were questions built into the text
of the draft. In this email Matthew Lenton asked if comments could be fed back
by 24 September 2018.
223. It appears that on 21 September 2018 at 10.45am, Pete Newsome emailed
Alan Holmes, Gareth Seemungal and me to say that WBD wanted a response
that day [FUJ00179462]. At 12.51pm I emailed to say that I had just got in but
Page 72 of 101
WITNO00460400
WITNO00460400
would look at it after lunch. I do recall that we were under some pressure from
WBD to get our feedback over to them. I provided comments on a version
which Alan Holmes and Gareth Seemungal had already fed into
[FUJ00179474]. I was chased for my comments by Pete Newsome at 2.15pm
[FUJ00179503]. I sent an annotated copy (with everyone’s comments
incorporated) at 4.30pm [FUJ00179517]. There were a couple of outstanding
questions for Gareth Seemungal to address, and he sent a further version with
his comments at 5.18pm that day [FUJ00179541]. This was not a draft that
we spent a significant amount of time commenting on.
224. I have reviewed the draft statement and my comments [FUJ00159545]. My
comments were aimed at ensuring Torstein’s technical statements were
accurate and clear, or indicating who in Fujitsu might be able to help further in
clarifying certain points.
225. In relation to what Torstein said about remote access at paragraph 9.2.1, there
are three comments which formed a discussion [FUJ00159545]:
“Was it not possible to inject stuff into old Horizon by adding said stuff
into the Central correspondence servers which would then replicate it
down to the branch. Did the SSC used to use this as a mechanism to
correct problems?”
“Yes, that is correct. What do we need to say about that?”
“Again any transactions injected by SSC with Old Horizon would have
used the CS address as the counter position which would be a number
> 32 and so easily identifiable in any audit.”
226. This discussion demonstrates the common understanding we had in 2018 on
Fujitsu's side that substantive remote access was done in Legacy Horizon by
inserting data at the correspondence server which was then replicated to the
counter. As I have set out above, that is what I thought, at that time, was
correct.
Page 73 of 101
WITNO00460400
WITNO00460400
227. I realised subsequently (in the 3-4 weeks following these comments) that our
understanding was wrong. Unfortunately, Torstein signed his first witness
statement before I realised we were in error. As I recall, Torstein’s statement
was finalised and signed in a hurry because he left for his holiday to Japan on
27 September 2018.
228. My comment on draft paragraph 9.2.1 was reflected (not verbatim) in
Torstein’s signed statement at paragraph 58.10 [FUJ00083840], where he
stated: “In Legacy Horizon, any transaction injected by SSC would have used
the computer server address as the counter position would be a number
greater than 32, so it would be clear that the transaction had been inserted in
this way.” Looking at this paragraph now, I think Torstein’s wording was looser
than mine: the SPM would be able to identify it as having been inserted at the
correspondence server either from their counter transaction reports or from
ARQ data. It was only for counter-inserted transactions that it would be
necessary to look at the raw audit data.
229. As I say, my understanding of this issue changed shortly after Torstein signed
his first statement, prompted by reading Richard Roll’s witness statement
(sent to us on 1 October 2018) and discussing with people in the SSC such
as John Simpkins. I subsequently corrected the position in my note dated 13
October 2018 [FUJ00181504], in which I highlighted paragraph 58.10 of
Torstein’s signed statement and said:
“It would appear that this is incorrect. I have come to understand that in
some circumstances the SSC needed to inject data at the counter. I am
not clear as to exactly why this was necessary (other than for EOD
Markers — which are not transactional data), and it is likely that any
transactions that were injected would have been done at the CSs.
Perhaps SSC can clarify this point as it is important in relation to Richard
Roll’s witness statement.”
Page 74 of 101
WITNO00460400
WITNO00460400
230. I reiterated this point in my comments on 15 October 2018 on a WBD memo
which was drafted to form the basis of Steve Parker's statement
[FUJ00160194].
231. Then, later in October 2018, I reiterated the point again when commenting on
a draft of Torstein’s second witness statement. I asked whether Torstein’s
statement needed to cover injections of transactions or data at the counter or
whether it should be done by Steve Parker.
232. These confirmations throughout October 2018 that inaccurate information had
been given to Torstein and included in his first statement appeared to have
been understood by WBD. I note that the error was ultimately corrected via
Steve Parker's witness evidence (see below). I assume that the decision that
it should be corrected by Steve rather than Torstein, and the manner in which
it should be corrected, was taken by WBD. It was not taken by me. I was not
particularly concerned how it should be corrected, only that it should be
corrected. I cannot comment on why there seems to have been a delay in
bringing this information to the attention of the court. My main concern was
that Fujitsu provided information which was technically accurate.
233. The Inquiry has asked me about the same issue when it arose in a series of
questions from WBD to me by email on 16 November 2018 (see
[FUJ00160648] and [POL00105560]). I was asked about User IDs, and
specifically whether it could be affected by interrupted transactions. In my
response, which reflected my updated understanding, I provided a possible
“further scenario” that:
“On Old Horizon if SSC were to insert a transaction at the counter (which
although possible, was very rare), then this would have been associated
with the User ID of whoever was logged on at that counter. If nobody
was logged on then the User ID would be missing. Such transactions
should be clearly identified in the audit trail as having been inserted by
the SSC” [FUJ00160648].
Page 75 of 101
WITNO00460400
WITNO00460400
234. Whilst I didn’t have exact numbers to hand, my understanding from the SSC
was that instances in Legacy Horizon of injections at the counter and injections
at the correspondence server were both very rare, although the former was
(relatively speaking) much rarer than the latter.
235. I have been asked by the Inquiry whether Torstein accurately recorded which
information within his statements was given to him by me. As I have explained,
my comments were provided in marked up drafts (along with those of others)
and so it should be relatively easy to track each comment I made and whether
it was reflected in the final signed versions. Generally speaking, I think
Torstein accurately recorded the information I gave him but this was not
always the case. We had very limited time to go through things in tandem, and
clearly there were others involved in the provision of information, which may
have led to confusion as to who was the original source of information and the
circumstances in which it came to be corrected. I don’t know whether, for
example, Torstein knew that I had corrected the point about remote access
after he had submitted his statement.
236. Again, I saw it as my role to provide technical clarifications to Torstein if I
thought something in his draft witness statements was incorrect. For example,
when reviewing his first draft statement, Torstein had written that the
Dalmellington bug had only affected four branches. I clarified that there were
more than four branches and pointed him to my paper on “Duplicate Rems” to
assist. Torstein corrected this mistake and correctly attributed information
about the Dalmellington bug to me in his signed first witness statement at
paragraphs 55-61 [POL00029051].
237. The Inquiry has asked me specifically about paragraph 13.1 of Torstein’s
second witness statement [FUJ00082234] and whether I believed it to be true
that the Callendar Square bug was “discovered when the Subpostmaster at
the Callendar Square branch reported that he could see a transfer on some
terminal but not on another and asked for this to be investigated.” I can see
that Torstein has attributed this information to me. Taken in isolation, it was
my understanding at that time (based on the PEAKs and Anne Chambers’
Page 76 of 101
WITNO00460400
WITNO00460400
entries in them) that the SPM at Falkirk branch had reported the problem and
asked for it to be investigated in 2005. I have since reviewed the relevant
PEAKs again (see [FUJ00083654] and [FUJ00083663]) and this remains my
understanding.
238. I also believe that, when commenting on Torstein’s draft second statement,
WBD (and/or Torstein) were operating under a misunderstanding that the
Callendar Square bug had only affected a single branch (Falkirk). I corrected
that mistake in my comments and pointed out that the SSC had compiled a
spreadsheet which listed all of the affected branches they had identified. I said
this because I wanted to ensure that WBD and Torstein were aware of this
spreadsheet and could use it to give accurate information to the Court about
the true impact of the bug in terms of the number of branches affected,
whether it has caused discrepancies in those branches and the different ways
in it had manifested itself (even if this information was adverse to POL). I
assume my comment was not taken into account by WBD or Torstein because
I can see that, whilst the spreadsheet was disclosed by POL in the GLO
proceedings on 27 February 2019 (paragraph 418 of the Horizon Issues
Judgment), the Judge was critical of Torstein for the fact that his written
evidence did not refer to the information contained within it (paragraph 425 of
the Horizon Issues Judgment). This is unfortunate since, had Torstein
amended his written evidence to reflect my comment and refer to Anne’s
spreadsheet, this criticism might have been avoided.
Stephen Parker (questions 224-228)
239. The Inquiry has asked me to consider the three statements of Stephen Parker
and identify which parts (if any) I contributed to. Based on the documents I
have reviewed, I believe that I ‘contributed’ primarily to the first statement’s
Appendices alongside others who assisted in clarifying technical points. Any
input I had into the main body of the statement was minimal, and I think this
was predominantly Steve’s own work.
Page 77 of 101
WITNO00460400
WITNO00460400
240. I have been asked by the Inquiry about my input (if any) into what Steve Parker
said about remote access (in Legacy Horizon) at paragraph 22 of his first
statement dated 16 November 2018 [POL00030141]. Paragraph 22 reads as
follows:
“It is correct that “remote access” described above could have been
carried out without the permission of a Subpostmaster. However, any
additional transactions inserted remotely would be identifiable as such
from the transaction logs that are available to Subpostmasters from
Horizon.”
241. The first sentence is correct, i.e. the SSC could inject transactions or data into
the message store without the SPM’s permission. However, the second
sentence is incorrect, because if that injection occurred at the counter (not the
correspondence server), it would not have been identifiable from the
transaction logs as having been injected remotely (although it would be
identifiable from the complete audit data). I am unclear why that error was not
picked up. As explained above, I had raised this issue on a number of
occasions throughout October 2018 and WBD were clearly aware of it.
242. The Inquiry has asked me how, in relation to the KELs table appended to
Steve's first statement, I was briefed in regard to providing input into it, and
how I satisfied myself that the information I provided was fair and accurate.
My recollection is that this KELs table involved a huge amount of analysis work
from a number of people. I believe it arose as a result of instruction from WBD
to begin analysing KELs referred to in Dr Worden and Mr Coyne’s reports.
From [FUJ00183347], it appears we had a call with WBD to discuss the priority
of ongoing/upcoming work streams, and that analysis work appears at points
(2) and (3) of four. Those four work streams became the subject of a daily
conference call to discuss progress (see Dave Ibbett’s email in
[FUJ00183347)). I believe the SSC had a first pass through the relevant KELs,
and Torstein and myself were provided with their comments on 2 November
2018 by Steve Parker [FUJ00183274]. I believe that the Fujitsu team would
send back the KEL analysis to WBD on an ongoing basis, and Jonny Gribben
Page 78 of 101
WITNO00460400
WITNO00460400
and his team created the KELs table (and the first draft of Steve’s statement
to which it became appended). Given the number of people working on this
across different specialisms, and the amount of analysis work which was
involved, I was satisfied that the output of work was as accurate as it could be.
I was satisfied that the analysis I conducted was correct to the best of my
knowledge, and the operation of the team meant that we did check each
other's work when needed.
243. I have also been asked by the Inquiry about my input into the section entitled
“Transaction Injection into Old Horizon” in Steve Parker’s second statement
[FUJ00161730], and whether and when I was aware of the matters stated in
it.
244. Reading this part of Steve’s signed second statement in isolation, the main
point it is making is that the SSC could inject data at the counter (in addition
to the correspondence server) in Legacy Horizon. He sets out the detail that I
would have expected the SSC to provide about this. I think my input was
limited to pointing out where errors had been made in the previous evidence
and had subsequently come to light from the SSC.
245. I have been asked by the Inquiry about my input (if any) into Steve Parker's
third witness statement [FUJ00083839]. I do not recall being provided with a
draft of this statement in advance to provide comments on. However, I have
seen some email correspondence [FUJ00190021] following service of Steve
Parker's second statement in which issues covered by his third statement are
discussed. I am involved in some of those discussions.
246. In an email dated 29 January 2019 [FUJ00161724] (presumably before
service of Steve's second statement), Jonny Gribben asks about the “GIRO
bank theory” at paragraph 35. Steve responds by saying “you'll need someone
like Gareth to give you a definitive answer, it was his idea after all. 1 think the
answer is that Giro bank is ALSO an AP transaction (like bill payments)...”
Page 79 of 101
WITNO00460400
WITNO00460400
247. I was unavailable after 4pm on 29 January 2019 to provide a direct response,
but I did speak to Pete Newsome about the matter. Looking back at the email
correspondence, I do not think my answer about this was conveyed properly
and so was not incorporated adequately into the second draft of Steve's
statement. Nothing in the email at [FUJ00161744] represents the answer I had
or would have given. I disagree with the answer quoted in Jonny Gribben’s
email at 5:04pm. The answer in my own words can be found in an email dated
30 January 2019 at 7:22am [FUJ00161750] from me to Jonny Gribben. I clarify
that GIRO bank transactions are not AP, but standard EPOSS transactions,
which is something that POL should definitely have known. To that extent, I
believe that paragraph 23 of Steve Parker's third statement was informed (at
least partly) by me. Otherwise I cannot see (and do not recall) that I had any
further comments to make on Steve Parker's third statement. Looking at it
now, my view is that much of it would have been outside my direct knowledge.
248. I have been asked by the Inquiry to consider the emails at [FUJ00162527]
involving questions from Jonny Gribben (dated 6 February 2019) connected
to errors in paragraph 35 of Steve Parker’s second witness statement. I think
the email chain accurately sets out the position and my involvement in it (i.e.
that paragraph 35 was incorrect and I had provided corrective comments after
the statement had been submitted).
249. On receipt of Jonny Gribben’s detailed email, I circulated my draft comments
in response internally at Fujitsu first (at 7:44am on Thursday 7 February 2019)
so that others could provide their comments and we could send a consolidated
response back to Jonny rather than piecemeal. There was subsequently a
discussion between me, Steve Parker, Pete Newsome and Dave Ibbett about
some points of technical clarification. This discussion was aimed at making
sure we sent accurate and complete information back to Jonny in response to
his questions. I informed Jonny at 4:26pm on 7 February 2019 that I had sent
my comments to others in Fujitsu [FUJ00191538].
250. In relation to a couple of points, I said that I would need to check the relevant
documentation, which Matthew Lenton then sent to me at 10:42 on 8 February
Page 80 of 101
WITNO00460400
WITNO00460400
2019 (see [FUJ00087710]). My review of those documents allowed me to
conclude the following on Saturday 9 February 2019 at 11:27:
“1, All AP transactions in Old Horizon were digitally signed at the counter
and so cannot be spoofed by SSC.
2. All Banking Transactions are digitally signed at the counter and so
cannot be spoofed by SSC
3. (NB all transactions are digitally signed in HNG-X so spoofing can’t
happen.
That means that the only transactions that could be possibly be injected
by SSC to benefit them (as opposed to re-injecting copies of missing
transactions that have been recovered) are EPOSS transactions, which
means Giro Deposits and Manual Banking Deposits.”
251. Dave Ibbett extracted my short three point email and sent it to Jonny at 9:57am
on Monday 11 February 2019, copying me. In response, at 10:11am, I
attached my full and complete response from the previous Wednesday
[FUJ00162078]. I note that Matthew Lenton also forwarded the full email chain
including both responses, at 10:08 [FUJ00087710]. Our emails must have
crossed.
252. I have been asked by the Inquiry to what extent I was involved in the work to
correct Steve Parker's second statement. I am invited to consider
[FUJ00163881]. I note that I am included in this email chain, up until the final
email where I appear to have been excluded from the distribution list. On
reviewing this chain now, I can see that it was principally an issue concerning
the SSC’s processes. Jonny Gribben was also seeking information about
Richard Rolls activities whilst in the SSC. This would not have been an issue
which I could assist with and I did not respond.
Page 81 of 101
WITNO00460400
WITNO00460400
Closing reflections
Rule 9(2) Question 229
253. I think that I would like to reflect here my concern that I was asked to become
involved in the GLO proceedings but without understanding the background
to the Clarke advice and the criticisms which were made of me. At the time of
writing this statement, I don’t know much about why that decision was made.
I would like to understand more about it before I comment further or explain
how I feel about the way that I learnt of the criticisms which had been made of
me. However, I do feel concerned by the fact that, in 2013, POL effectively
blamed me for how it had conducted prosecutions, and then kept that from me
for so long whilst continuing to rely on me.
254. The GLO proceedings were the first experience that I have had of civil
proceedings. I do not know how well run they were compared to other such
proceedings. I am starting (because of this Inquiry) to understand more about
the approach which was taken to me during the preparation for the GLO
proceedings. I am starting to see that I was exposed by this approach but I
had no real idea about that at the time. I did not know that my absence would
be regarded as so significant or that there would be the emphasis that there
was on me as source of information. Clearly I did provide information to some
of POL’s witnesses. However, in some cases, the information I provided was
not picked up and errors were not corrected as quickly as they should have
been. I regret that this happened.
255. The GLO proceedings led to the Judge referring Anne Chambers and me to
the DPP on 14 January 2020 [POL00112842]. I had absolutely no idea that
this referral was being contemplated. It came as a shock to me when I learned
about it. When making this referral, it seems that Mr Justice Fraser did not
have access to my evidence in POL’s prosecutions. For example, he said that
I had not disclosed my knowledge of the Callendar Square bug to the court in
Page 82 of 101
WITNO00460400
WITNO00460400
Mrs Misra’s case. My witness statements and the transcript of my oral
evidence show that I did. Seeing these problems in the referral letter again left
me feeling very concerned that I had not been able to speak for myself.
256. When I was first interviewed by the police in June 2021, I made it clear that
nobody had told me (and that I did not know) about expert duties or disclosure
obligations when POL asked me to give evidence. I feel badly let down by POL
and left exposed by how I was used by them in criminal proceedings. The
personal consequences for me, however, are irrelevant compared to the
terrible consequences for those who have been wrongly convicted and
imprisoned.
Statement of truth
I believe the content of this witness statement to be true.
Signed
Dated 29/04/2024
Page 83 of 101
Index
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
WITN00460300
Gareth Jenkins third witness
statement
WITN00460300
POL00091426
Witness Statement of lan
Henderson in Alan Bates &
Others -v- Post Office Limited in
the High Court of Justice
POL-0090448
FUJ00232048
Meeting minutes of the telephone
conference on Friday 27 July
2012
POINQ0238202F
FUJ00156909
Email chain from Michael Harvey
to Rodric Williams, cc James
Davidson, Pete Newsome - Re:
Expert on the Horizon System -
Subject to Common Interest
Privilege
POINQ0163103F
POL00117936
Email from Gareth Jenkins to lan
Henderson, Simon Baker and
others RE: Fujitsu workshops
(with attachment)
POL-0115435
FUJ00083353
Report by Gareth Jenkins on
Correcting Accounts for "Lost"
Discrepancies
POINQ0089524F
POL00097216
Email from Rachael Panter to
Jenkins Gareth GI, Andy Cash,
Jarnail A Singh and others RE:
Fujitsu expert report - URGENT
POL-0096799
POL00133644
POL - Witness Statement of
Gareth Jenkins
POL-0138097
Page 84 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
FUJ00123862
Info for lan report
FUJ00123862
10
POL00097915
Email chain from, Gareth Jenkins
to lvan Swepson; Simon Baker;
Steve Parker, re: Discuss
requirements for proposed
Horizon testing.
POL-0097498
11
POL00029744
Interim Report into alleged
problems with the Horizon
System
POL-0026226
12
WITNO0460200
WITNO00460200 - Second
Witness Statement of Gareth
Jenkins
WITNO00460200
13
POL00040888
Second Sight Support Services
Horizon Spot review re: Lottery
‘Instants' Scratch Cards
POL-0037370
14
POL00097672
Email from Simon Baker to Craig
Tuthil, Dave Posnett, Gareth
Jenkins, and others, re: Various
items
POL-0097255
15
POL00097729
Email from Simon Baker to Ivan
Swepson re: SROO1
POL-0097312
16
POL00097745
Email thread from Jenkins Gareth
to lvan Swepson cc: Simon
Baker, Alison Bolsver, Dave
Posnett, Rodric Williams, Craig
Tuthill and others re: SROO1
Attached: Images
POL-0097328
17
POL00097845
Email from Gareth Jenkins to
Andrew Winn, RE: SR001 Strictly
Private and confidential- subject
POL-0097428
Page 85 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
to legal privilege- not for wider
circulation (attachment SROO1
Response v0.1)
18
POL00130133
Response to Spot Report SRO01
POL-0120343
19
POL00097917
Email from Simon Baker to
Gareth Jenkins; Andrew Winn;
Rod Ismay; Ivan Swepson, re:
Spot review workshop.
POL-0097500
20
POL00098035
Email from Andrew Parsons to
Simon Baker, Lin Norbury,
Gareth Jenkins re: Spot Reviews
(1, 11, 12 and 13) - Confidential
drafts - legally privileged
POL-0097618
21
POL00098043
Horizon Spot Review 1 -
Response (DRAFT), version 2
POL-0097626
22
POL00130164
Draft Spot Review 1 - Response
Report for 2013, Version 2
POL-0120373
23
POL00098053
Email Chain from Gareth Jenkins
to Andrew Parsons re Spot
Reviews (1, 11, 12 and 13) -
Confidential drafts - legally
privileged
POL-0097636
24
POL00098604
Email chain from Gareth Jenkins
to Simon Baker re: Horizon
Disconnection
POL-0098187
25
POL00002239
Email chain between Ron
Warmington, John Armstrong, lan
Henderson, and Others re Spot
Review 001.
VIS00003253
Page 86 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
26
POL00134138
Email chain from Penny Thomas
to Gareth Jenkins and cc'ing
Rose Helen re: Lepton logs -
ARQ logs requesteD
POL-0138591
27
POL00091397
Email from Belinda Crowe to
Patrick Bourke, Tom Wechsler,
Rodric Williams and others re
Notes for the 1600 meeting
POL-0090419
28
FUJ00087028
Email from Gareth Jenkins to
Pete Newsome and Bill Membery
re: Bracknell Enquiry Clarity from
Second Sight
POINQ0093199F
29
POL00029593
Email chain between lan
Henderson, Alwen Lyons, Susan
Crichton, Steve Allchorn and Ron
Warmington Re: Spot Review 5
Response
POL-0026075
30
POL00029594
Horizon Spot Review 5 -
Response re: Centrally Input
Transactions.
POL-0026076
31
POL00029824
Horizon Spot Review 5 -
Response to Bracknell Site
Assertion
POL-0026306
32
POL00031346
Horizon Spot Review 5 —
Response Bracknell Site &
Centrally Input Transactions
POL-0028248
33
FUJ00124449
Email from Gareth Jenkins to
Pete Newsome. RE Second
Sight Info
POINQ0130663F
34
POL00029598
Email from Alwen Lyons to Susan
Crichton, (and chain with Ron
Warmington, Steve Allchorn, lan
POL-0026080
Page 87 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
Henderson and Simon Baker)
Re: Spot Review 5 Response
35
FUJ00087053
Notes from second sight post
office meeting regarding SROO5S
POINQ0093224F
36
POL00296678
Email from Rod Ismay to Steve
Allchorn Re: SROOS
POL-BSFF-0134728
37
FUJ00087066
Email from Pete Newsome to
Simon Baker, FW: SRO05 Spot
Review
POINQ0093237F
38
POL00021696
Email from Ron Warmington Re
FW Emailing Bracknell Meeting.
POL-0018175
39
POL00188670
Email from Simon Baker to Ron
Warmington, lan Henderson cc:
Lesley Sewell and others RE:
Two Horizon incidents
POL-BSFF-0026733
40
POL00006357
Advice on the use of expert
evidence relating to the integrity
of the Fujitsu Services Ltd
Horizon System
POL-0017625
41
POL00142322
Transcript between Simon
Clarke, Martin Smith and Gareth
Jenkins re a criminal case
against SPM
POL-0143576
42
FUJ00124694
Email from Gareth Jenkins to
Jarnail A Singh re: My Witness
Statement for the MISRA case-
attachment 'Witness Statement
Gareth Jenkins.
POINQ0130908F
43
POL00062368
Email from Simon Baker to
Gareth Jenkins, Alwen Lyons and
POL-0058847
Page 88 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
others re: Discuss of defect in
horizon in court.
44
FUJ00154223
Email from Jarnail Singh to
Gareth Jenkins re. My Witness
Statement for the MISRA case.
POINQ0160418F
45
POL00060572
Khayyam Ishaq case study:
Email from Jarnail A Singh to
Hugh Flemington, Alwen Lyons,
Mark M Davies and others re A
couple of thoughts Balvinder
Samra Hurst Lane west
Bromwich Birmingham Trial
Monday 1st June 2013
POL-0057051
46
FUJ00083721
Email from Anne Chambers to
Gareth Jenkins re: Callendar
Square bug
POINQ0089892F
47
FUJ00121071
Email chain from lan Oakley to
Gareth Jenkins, Ray Jackon and
others re: Fw: T30 Release -
Impact on Stock Rems
POINQ0127263F
48
FUJ00155252
Email thread from Mike Stewart
to Gareth Jenkins Re: Response
to Action AP0108003 from
POL/Fujitsu P&BA Workshop 1
August 2008
POINQ0161446F
49
FUJ00081137
Email from Mike Steward to
Gareth Jenkins, Mark Wright and
Steve Bansal re: receipts and
payments mismatch issue
POINQ0087308F
50
FUJ00083375
Note authored by Gareth Jenkins
titled 'Local Suspense Problem'
v0.5
POINQO089546F
Page 89 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
51
FUJ00122229
Analysis of Zero Value
Transactions Document 32
POINQ0128443F
52
FUJ00153159
Email from Gareth Jenkins to
Penny Thomas re requests
following experts meeting - R v
Seema Misra
POINQ0159354F
53
POL00055059
Email from Issy Hogg to Jarnail
Singh re Seema Misra - request
for information on reproducible
errors, reconciliation and
transaction corrections, known
error logs etc.
POL-0051538
54
FUJ00152930
Email from David M Jones to
Jarnail Singh, Gareth Jenkins
and Thomas Penny re WEST
BYFLEET ISSUES - SEEMA
MISRA - Legally Privileged
POINQ0159125F
55
POL00001643
Witness statement of Gareth
Jenkins
VIS00002657
56
POL00055410
Email from Rob G Wilson to
Juliet McFarlane and Jarnail A
Singh Re FW: Branch
discrepancy issues
POL-0051889
57
POL00029618
Email from Lesley J Sewell to
Simon Baker and Alwen Lyons
and others, re: Two System
Defects.
POL-0026100
58
POL00172804
Hearing note prepared by Simon
Clarke in R v Samra
POL-0170600
59
POL00155555
Handwritten notes re: Horizon -
FJ Positioning
POL-BSFF-0014650
Page 90 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
60
POL00297607
Email from Martin Smith to
Rodric Williams, Simon Clarke
CC'd Hugh Flemington and
others RE; The Next Thing!
POL-BSFF-0135657
61
POL00297764
Email from Rodric Williams to
Andrew Parsons CC'd High
Flemington RE;Fw: Advice re
Gareth Jenkins
POL-BSFF-0135814
62
POL00193383
Email from Susan Crichton To:
Hugh Flemington, Rodric
Williams Re: Fujitsu / Second
Sight - STRICTLY PRIVATE &
CONFIDENTIAL - SUBJECT TO
LEGAL PRIVILEGE - DO NOT
FORWARD
POL-BSFF-0031446
63
POL00140620
Draft - Letter of Claim to Fujitsu
from POL - Re: Horizon Contract
between POL and Fujitsu
Services Ltd. dated 28 July 1999
as amended ("the Contract") -
criticisms levied by SS against
the Horizon System
POL-0142075
64
POL00006803
Brian Altman QC's general
review of prosecutions
POL-0017620
65
POL00298011
Terms of Reference for the
Appointment of Brian Altman QC.
- Bond Dickinson
POL-BSFF-0136061
66
POL00021981
Terms of Reference for the
Appointment of Brian Altman QC,
Observations
POL-0018460
67
POL00169308
Email from Jarnail A Singh to
Andrew Parsons, cc Gavin
POL-0167457
Page 91 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
Matthews, Rodric Williams and
others, re Outstanding Cases
68
POL00020634
Email chain from Andrew
Parsons to Chris Aujard, Rodric.
Williams, Jarnail Singh and
others re: Helen Rose Report
and CQRs re Gareth Jenkins
report
POL-0013826
69
FUJ00156908
Fujitsu Note regarding Terms of
Reference for Horizon Integrity
Audit for “Mediation process”
POINQ0163102F
70
FUJ00156923
Email from Michael Harvey to
David Roberts and David M
Jones re Horizon Integrity
Challenges, Core audit process,
Second Sight engagement, and
the mediation process
POINQ0163117F
71
FUJ00087100
Email chain between Gareth
Jenkins, Michael Harvey and
James Davidson re: responses to
questions for Fujitsu
POINQ0093271F
72
SUBS0000025
Post Office Horizon IT Inquiry -
Phase 3 Closing Submissions on
behalf of Fujitsu Services Limited
SUBS0000025
73
FUJ00142197
Email from Anne Chambers to
Gareth Jenkins on 10/12/07 re:
Incomplete Summary Issue
(PC0152014)
POINQ0148394F
74
POL00023765
PC0152014: Branch 183227 -
TPSC257 - POLFS Incomplete
Summaries Report
POL-0020244
Page 92 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
75
POL00029710
Email from Andrew Winn to Alan
Lusher re: Rivenhall
POL-0026192
76
POL00021783
Note by Gareth Jenkins on
injection of data by support staff
POL-0018262
77
FUJ00087187
Transaction Corrections within
Riposte based Horizon
POINQ0093358F
78
FUJ00087185
Email chain from Russell Norman
to Steve Parker, Jason Muir,
Peter Thompson and others re:
FW Deloitte info as I am in
London tomorrow
POINQ0093356F
79
INQ00000981
Transcript (02/05/2023): Post
Office Horizon IT Inquiry - Anne
Chambers [WITNO017]
INQ00000981
80
INQ00001115
Transcript (17/01/2024): Post
Office Horizon IT Inquiry - John
Simpkins [WITN0411] and Gerald
Barnes [WITN0987]
INQO00001115
81
POL00108538
Email chain from Rodric Williams
(POL) to Andrew Parsons (Bond
Dickinson) re: FW: Strictly Private
& Confidential Subject to
Privilege. Email chain relates to
the ability of Fujitsu to remotely
change branch figures without
the knowledge of SPMs.
POL-0106634
82
POL00028062
Report: Horizon Desktop Review
of Assurance Sources and Key
Control Features - draft for
discussion, Deloitte
POL-0023065
83
POL00028069
Deloitte Draft Board Briefing
document further to report on
POL-0023072
Page 93 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
Horizon desktop review of
assurance sources and key
control features
84
POL00312743
Email from Andrew Parsons to
Rodric Williams, cc'd Victoria
Brooks. Re 'RE: M056 - Wylie -
Remote Access’. Discusses
consistency in statements and
responses about remote access.
POL-BSFF-0150793
85
FUJ00194700
Email from Pete Newsome to
Steve Evans cc'ing Gareth
Jenkins, Andrew Thomas and
others. Re Support for Bramble-
Super User Paper
POINQ0200417F
86
FUJ00087230
Database Security in Horizon
Online Version 0.1 Report
POINQ0093401F
87
FUJ00087231
Database Security in Horizon
Online Version 0.2 Report for
March 2017
POINQ0093402F
88
FUJ00087232
Database Security in Horizon
Online Version 0.2 Report
POINQ0093403F
89
POL00023442
Email from Jonathan Gribben to
Rodric Williams and others. RE:
Post Office/ Horizon
POL-0019921
90
FUJ00087234
Database Security in Horizon
Online Version 1 Report for April
2017
POINQ0093405F
91
FUJ00170288
Email chain from Lewis Keating
to Russell Norman, Torstein
Godseth, Pete Newsome and
POINQ0176469F
Page 94 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
others RE: Further Project
Bramble discussion — Riposte
92
POL00030068
Deloitte Bramble Draft Report
POL-0026550
93
POL00112816
PO Group Litigation: Judgment
No. 6 "Horizon issues" before Mr
Justice Fraser.
POL-0110233
94
FUJ00086810
Reconciliation Controls
Document
POINQ0092981F
95
FUJ00159521
Alan Btes & Others and Post
Office Limited ®Witness
Statement of Torstein Olav
Godeseth
POINQ0165698F
96
FUJ00181504
Comments on TOG's Witness
Statement 27.09.2018 by Gareth
Jenkins
POINQ0187221F
97
FUJ00082234
Witness statement of Torstein
Olav Godseth (signed)
POINQ0088405F
98
FUJ00222893
Email chain from Steve Evans to
Pete Jobson, Steve Bansal and
Pete Newsome cc: others re:
Information Requests from Jason
Coyne
POINQ0228626F
99
FUJ00087274
GlJ Response to Information
Requests from Jason Coyne
POINQ0093445F
100
POL00042057
Email from Rodric Williams to
Andrew Parsons re PO Group
Litigation
POL-0038539
101
FUJ00159667
Email from Chris Jay to Pete
Newsome, Stewart Garry cc'ing
POINQ0165845F
Page 95 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
Jay Christopher and others re:
RE: Post Master Lawyers
102
FUJ00159300
Email from Dave Ibbett to Pete
Newsome, Gareth Jenkins and
Jonathon Gribben and
others®Re: WBD Bracknell
meeting 28th August 2018
POINQ0165477F
103
FUJ00159312
Email from Dave Ibbett to
Johnathon Gribben ®Re:
gij.Horizon Issues document
dated 17 August 2018.docx
POINQ0165489F
104
FUJ00159313
The Post Office Group Litigation
@Alan Bates and Post Office
Limited®CLAIMANTS’
PROVISIONAL/OUTLINE
DOCUMENT IN RELATION TO
THE HORIZON ISSUES
POINQ0165490F
105
POL00133591
Email from Chris Emery To
Jonathan Gribben, Lucy
Bremner, CC'ing Robert Worden
- Re: Post Office: Receipts and
Payment Mismatch
POL-0138044
106
FUJ00081969
Charteris Foundation Report for
Alan Bates and others v POL - Dr
Robert Worden and Chris Emery
(Definitive version 31 May 2018
Table of Contents)
POINQ0088140F
107
FUJ00081968
Quantitative Approaches to
Horizon Bugs
POINQ0088139F
108
FUJ00081967
Email from Jonathan Gribben to
Pete Newsome and others re:
Update following 5 June June
CMC
POINQ0088138F
Page 96 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
109
FUJ00179022
Foundation Report - Alan Bates
and others v Post Office Limited -
DR Robert Worden and Chris
Emery
POINQ0184733F
110
FUJ00083981
Subpostmasters v Post Office
Limited - Expert Report of Dr
Robert Worden.(draft 68)
POINQ0090152F
111
FUJ00223931
Charteris Foundation Report -
Alan Bates and others v Post
Office Limited Dr Robert Worden
and Chris Emery
POINQ0229664F
112
FUJ00083961
Subpostmasters v Post Office
Limited - Expert Report of Dr
Robert Worden (Draft 68 with
hidden comments)
POINQ0090132F
113
FUJ00082226
Expert Report of Dr Robert
Worden Appendices. Draft 44
POINQ0088397F
114
POL00029050
Expert Report of Jason Coyne
(Bates & Others v POL
POL-0025532
115
FUJ00183797
Expert Report of Jason Coyne -
Alan Bates and Others v POL
POINQ0189514F
116
FUJ00179314
Email from Matthew Lenton to
Alan Holmes, Gareth Seemungal,
Gareth Jenkins and others re
Horizon Issues Trial - Witness
Statement of Torstein Godeseth
POINQ0185026F
117
FUJ00179462
Email from Pete Newsome to
Gareth Jenkins, Alan Holmes,
Lenton Matthews and others with
POINQ0185174F
Page 97 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
Dave Ibbett cc'd in re Horizon
issues trial- witness statements
118
FUJ00179474
Email from Gareth Seemungal to
Gareth Jenkins, Pete Newsome,
Alan Holmes and others RE:
Horizon Issues Trial- Witness
statement
POINQ0185186F
119
FUJ00179503
Email chain from Pete Newsome
to Gareth Jenkins RE: Horizons
Issues Trial- Witness statement
[WBDUK-AC.FID27032497]
POINQ0185215F
120
FUJ00179517
Email from Gareth Jenkins to
Gareth Seemungal, Pete
Newsome, Alan Holmes and
others - RE: Horizons Issues
Trial- Witness Statement
POINQ0185229F
121
FUJ00179541
Email from Gareth Seemungal to
Gareth Jenkins, Pete Newsome,
Alan Holmes and others RE:
Horizon issues trial- witness
statement
POINQ0185253F
122
FUJ00159545
Alan bates & others v Post
Office Limited - ®Draft Witness
Statement of Torstein Olav
Godeseth
POINQ0165722F
123
FUJ00160194
Womble Bond Dickinson -
Response to Richard Roll (To be
turned into a statement by Steve
Parker)
POINQ0166372F
124
FUJ00160648
Email from Gareth Jenkins to
Andrew Parsons, Johnathan
Gribben Cc Dave Ibbett & Others
POINQ0166826F
Page 98 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
RE Post Office Group Litigations:
Some points to check please
125
POL00105560
Email from Gareth Jenkins to
Jonathan Gribben re Post Office
Group Litigation: Some points to
check please.
POL-0105127
126
POL00029051
First Witness statement of
Torstein Olav Godeseth (Bates &
Others v POL)
POL-0025533
127
FUJ00083654
Peak Incident Management
System - Call reference
PC0126042 - FAD160868 - SU
cash amounts vary on counters.
POINQ0089825F
128
FUJ00083663
Peak Incident Management
System®Call Reference:
PC0126376
POINQ0089834F
129
POL00030141
Witness Statement of Stephen
Paul Parker
POL-0026623
130
FUJ00183347
Email from Dave Ibbett ®to
Matthew Lenton, Pete Newsome
cc Gareth Jenkins, SP Parker,
Lucy Bremner ®RE: Stage 2
review of Coyne's Report
POINQ0189064F
131
FUJ00183274
Email from Steve Parker to
Gareth Jenkins and Torstein
Godeseth CC Dave Ibbett and
Pete Newsome RE: Initial
answers to Stage 2 review of
Coyne's Report
POINQ0188991F
132
FUJ00161730
Second Statement of Stephen
Paul Parker
POINQ0167908F
Page 99 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
133
FUJ00083839
Third Witness Statement of
Stephen Paul Parker
POINQ0090010F
134
FUJ00190021
Email from SP Parker to Gareth
Jenkins RE: SP Second Witness
Statement: Possible examples to
use - effective software fixes
[WBDUK-AC.FID27032497]
POINQ0195738F
135
FUJ00161724
Email chain from Steve Parker to
Jonathan Gribben, copying
Matthew Lenton, Dave Ibbett and
others. RE: SP Second Witness
Statement: Possible examples to
use - effective software fixes
[WBDUK-AC.FID27032497]
POINQ0167902F
136
FUJ00161744
Email Pete Newsome to
Christopher Jay, Legal.Defence
and Jonathan Gribben cc Andrew
Parsons, Dave Ibbett and Gareth
Jenkins re SP Second Witness
Statement: Possible examples to
use - effective software fixes
POINQ0167922F
137
FUJ00161750
Email from Gareth Jenkins to
Pete Newson, Jonathan Gribben,
Christopher Jay and
Legal.Defence cc Andrew
Parsons, Dave Ibbett, Lucy
Bremner and S Parker re SP
Second Witness Statement:
Possible examples to use -
effective software fixes
POINQ0167928F
138
FUJ00162527
Email Jonathan Gribben to
Matthew Lenton, cc others re
Remote access — urgent
POINQ0168705F
139
FUJ00191538
Email chain including Chris Jay
(FUJ); Legal Defence Team
POINQ0197255F
Page 100 of 101
WITNO00460400
WITNO00460400
No.
URN
Document description
Control number
(FUJ); Pete Newsome (FUJ) &
Others Re: Injecting transactions
140
FUJ00087710
Email from Matthew Lenton cc:
Gareth Jenkins, Dave Ibbett,
Pete Newsome, to Jonathan
Gribben, Lucy Bremner, Andrew
Parsons and others re: RE:
Injecting transactions — urgent
POINQ0093881F
141
FUJ00162078
Email from Gareth Jenkins to
Dave Ibbett, Jonathan Gribben,
Pete Newsome & Others, CC-
Andrew Parsons, Lucy Bremner,
SP Parker & Others RE: Injecting
transactions - urgent [WBDUK-
AC.FID27032497]
POINQ0168256F
142
FUJ00163881
Email Steve Parker to Jonathan
Gribben cc Dave Ibbett, Matthew
Lenton, Pete Newsome re FW
Further counter injection analysis
POINQ0170059F
143
POL00112842
Letter to Mr Max Hill QC from
The Hon Mr Justice Fraser, re
Bates and Others v POL
POL-0110256
Page 101 of 101