Fujitsu staff had ‘unrestricted and unauditable’ remote access to Post Office branch systems

Fujitsu engineers could make changes to Post Office branch accounts without anyone knowing

Fujitsu had no control over staff in one of its tech support teams accessing Post Office branch accounts remotely to make changes which could be hidden from subpostmasters.

While it was already revealed that remote access was possible, the lack of control of this access, revealed during a Post Office Horizon scandal public inquiry hearing, sheds further light on Fujitsu’s lax practices supporting its error-prone system.

The Post Office Horizon scandal public inquiry heard that staff working at Fujitsu’s Software Support Centre (SCC), which provides third-line tech support to Post Office branches, had “unrestricted and unauditable” remote access to branch accounts.

Horizon software was introduced in 1999 to replace mainly manual accounting practices. Originally from ICL, before its acquisition by Fujitsu, the IT system was rolled out to thousands of Post Office branches, but its introduction led to a sudden increase in subpostmasters reporting unexplained shortfalls in their accounts, for which they were blamed.

Hundreds were prosecuted, with some sent to prison, and thousands lost huge sums of money, with many going bankrupt. In total, 86 former subpostmasters have so far had wrongful convictions for fraud and theft overturned.

The existence of unrestricted and unauditable access by Fujitsu staff to accounts would have called into question any accusation that unexplained losses were caused by subpostmaster error or theft.

Stephen Parker, a former SCC manager, faced the public inquiry in its current phase, which is investigating the operation of the controversial Horizon system. During questioning, he admitted that control of SCC staff remotely accessing branch systems relied on them being trustworthy and following the access policy, with no policing of their activity.

Post Office denial

For years, the Post Office, under pressure over allegations the Horizon system errors were causing accounting shortfalls, denied that remote access to branch accounts was possible. In 2015, in written evidence to the BIS Select Committee Inquiry of 2015, the Post Office said: “There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit, manipulate or remove transaction data once it has been recorded in a branch’s accounts.” The Post Office only admitted it was in fact possible when it was left with no choice, during a High Court case in 2019.

During the latest public inquiry hearing this week (10 May 2023), an operations manual from 2001 was examined. It stated: “SSC has access to the live system, which can be used to correct data on the system when this has been corrupted in some way.”

The inquiry heard that Fujitsu had a process in place for staff to make what were known as Operational Correction Requests (OCRs), which they would complete before remotely accessing live systems to make changes. OCRs have a process attached to them which includes that when changes are made there should be at least two people from SSC involved, known a “four eyes” procedure.

But there was no policing of access and its proper use depended on people sticking to the process. Parker said that as far as he remembers, this procedure was related to changes that would have a financial impact on subpostmaster accounts. “It was enforced only by process,” he said. “This means everybody was aware that this was the requirement and whenever an OCR was approved then they knew of the [process] they needed to do.”

Jason Beer, Horizon Inquiry barrister, said: “People are aware of the speed limit – that doesn’t mean they always abide by it, does it?”

Parker said: “I agree with you, but I am not aware of any times that members of the SSC did not abide by that rule.”

But when asked whether there was an audit or monitoring to see if people accessed the live environment outside of the system outside of the OCR policies, Parker admitted that “ultimately they were trusting [people] to follow the process”.

Financial data

Parker, who worked at SCC for 22 years, did not recall any audit of whether access to the live estate to correct or change financial data occurred. During the hearing, it also emerged that SCC staff could make changes to branch accounts without leaving a digital signature, leaving the subpostmaster of the branch in the dark.

He admitted that any member of the SSC could make changes without anybody’s knowledge. “But I am not aware of that ever happening, and the nature of the people within SSC (experienced technicians) means the chances of someone doing that without somebody else realising there was something going on are almost nil.”

Former subpostmaster Michael Rudkin is certain he was singled out by the Post Office for asking difficult questions about remote access to Horizon. In August 2008, when he was chairman of the negotiating committee of the Federation of Subpostmasters, Rudkin visited a Fujitsu technology centre as part of a working group looking at how to improve bureau de change processes. During his visit, a Fujitsu employee demonstrated how he could make changes to subpostmaster branch accounts remotely, without the subpostmasters knowing.

Rudkin’s experience was confirmed in 2015 by former Fujitsu engineer Richard Roll. After contacting Alan Bates, the former subpostmaster who led the fight for justice for subpostmasters, Roll blew the whistle on remote access.

In 2009, Computer Weekly published an investigation into the problems experienced by seven subpostmasters who were using Horizon. The Post Office told each of them that nobody else was experiencing problems and covered up the computer errors. It’s a common complaint of subpostmasters that the helpdesk did not help them investigate unexplained accounting shortfalls.

Read all Computer Weekly articles about the scandal since 2009

Read more on IT for retail and logistics

Data Center
Data Management