Fujitsu employees had ‘unrestricted and unauditable’ distant entry to Submit Workplace department programs

Fujitsu had no management over employees in considered one of its tech assist groups accessing Submit Workplace department accounts remotely to make modifications which may very well be hidden from subpostmasters.

Whereas it was already revealed that distant entry was attainable, the dearth of management of this entry, revealed throughout a Submit Workplace Horizon scandal public inquiry listening to, sheds additional mild on Fujitsu’s lax practices supporting its error-prone system.

The Submit Workplace Horizon scandal public inquiry heard that employees working at Fujitsu’s Software program Help Centre (SCC), which supplies third-line tech assist to Submit Workplace branches, had “unrestricted and unauditable” distant entry to department accounts.

Horizon software program was launched in 1999 to interchange primarily guide accounting practices. Initially from ICL, earlier than its acquisition by Fujitsu, the IT system was rolled out to hundreds of Submit Workplace branches, however its introduction led to a sudden enhance in subpostmasters reporting unexplained shortfalls of their accounts, for which they had been blamed.

A whole lot had been prosecuted, with some despatched to jail, and hundreds misplaced big sums of cash, with many going bankrupt. In complete, 86 former subpostmasters have to date had wrongful convictions for fraud and theft overturned.

The existence of unrestricted and unauditable entry by Fujitsu employees to accounts would have known as into query any accusation that unexplained losses had been attributable to subpostmaster error or theft.

Stephen Parker, a former SCC supervisor, confronted the general public inquiry in its present section, which is investigating the operation of the controversial Horizon system. Throughout questioning, he admitted that management of SCC employees remotely accessing department programs relied on them being reliable and following the entry coverage, with no policing of their exercise.

Submit Workplace denial

For years, the Submit Workplace, beneath stress over allegations the Horizon system errors had been inflicting accounting shortfalls, denied that distant entry to department accounts was attainable. In 2015, in written proof to the BIS Choose Committee Inquiry of 2015, the Submit Workplace mentioned: “There isn’t a performance in Horizon for both a department, Submit Workplace or Fujitsu to edit, manipulate or take away transaction information as soon as it has been recorded in a department’s accounts.” The Submit Workplace solely admitted it was in actual fact attainable when it was left with no selection, throughout a Excessive Courtroom case in 2019.

Throughout the newest public inquiry listening to this week (10 Might 2023), an operations guide from 2001 was examined. It acknowledged: “SSC has entry to the stay system, which can be utilized to right information on the system when this has been corrupted indirectly.”

The inquiry heard that Fujitsu had a course of in place for employees to make what had been often called Operational Correction Requests (OCRs), which they’d full earlier than remotely accessing stay programs to make modifications. OCRs have a course of connected to them which incorporates that when modifications are made there ought to be a minimum of two folks from SSC concerned, identified a “4 eyes” process.

However there was no policing of entry and its correct use relied on folks sticking to the method. Parker mentioned that so far as he remembers, this process was associated to modifications that may have a monetary influence on subpostmaster accounts. “It was enforced solely by course of,” he mentioned. “This implies everyone was conscious that this was the requirement and every time an OCR was authorized then they knew of the [process] they wanted to do.”

Jason Beer, Horizon Inquiry barrister, mentioned: “Individuals are conscious of the velocity restrict – that doesn’t imply they all the time abide by it, does it?”

Parker mentioned: “I agree with you, however I’m not conscious of any occasions that members of the SSC didn’t abide by that rule.”

However when requested whether or not there was an audit or monitoring to see if folks accessed the stay atmosphere exterior of the system exterior of the OCR insurance policies, Parker admitted that “finally they had been trusting [people] to comply with the method”.

Monetary information

Parker, who labored at SCC for 22 years, didn’t recall any audit of whether or not entry to the stay property to right or change monetary information occurred. Throughout the listening to, it additionally emerged that SCC employees may make modifications to department accounts with out leaving a digital signature, leaving the subpostmaster of the department at nighttime.

He admitted that any member of the SSC may make modifications with out anyone’s information. “However I’m not conscious of that ever occurring, and the character of the folks inside SSC (skilled technicians) means the possibilities of somebody doing that with out anyone else realising there was one thing occurring are virtually nil.”

Former subpostmaster Michael Rudkin is for certain he was singled out by the Submit Workplace for asking tough questions on distant entry to Horizon. In August 2008, when he was chairman of the negotiating committee of the Federation of Subpostmasters, Rudkin visited a Fujitsu know-how centre as a part of a working group taking a look at enhance bureau de change processes. Throughout his go to, a Fujitsu worker demonstrated how he may make modifications to subpostmaster department accounts remotely, with out the subpostmasters realizing.

Rudkin’s expertise was confirmed in 2015 by former Fujitsu engineer Richard Roll. After contacting Alan Bates, the previous subpostmaster who led the battle for justice for subpostmasters, Roll blew the whistle on distant entry.

In 2009, Pc Weekly revealed an investigation into the issues skilled by seven subpostmasters who had been utilizing Horizon. The Submit Workplace advised every of them that no person else was experiencing issues and coated up the pc errors. It’s a typical criticism of subpostmasters that the helpdesk didn’t assist them examine unexplained accounting shortfalls.

Author: ZeroToHero