Fujitsu is still providing data from the Horizon IT system for use in legal actions against post office operators, the inquiry into the Post Office scandal has heard.
The Post Office, which relentlessly prosecuted more than 900 post office operators across the UK for alleged theft, fraud and false accounting, stopped directly bringing cases in 2015.
Any subsequent potential cases of theft or fraud identified at a branch are referred to police, and ultimately the Crown Prosecution Service if there is enough evidence.
Sam Stein QC, representing the Justice for Subpostmasters Alliance (JFSA) and more than 200 individual post office operators, asked a current employee about Fujitsu’s subsequent involvement at the inquiry on Tuesday.
“Cases are still being prosecuted of subpostmasters, this time by the CPS, using data by Fujitsu,” he said. “To your knowledge, is the Horizon system still being used to provide data that is used in court proceedings?”
“Yes, I think it is,” said Rajbinder Sangha, who worked in Fujitsu’s fraud and litigation office from 2010 to 2016 before moving departments.
The inquiry into the scandal led by a judge, Sir Wyn Williams, began last year, and has gained greater public attention since the ITV drama, Mr Bates vs the Post Office, aired earlier this month. At a separate hearing on Tuesday, Fujitsu’s European boss, Paul Patterson, said for the first time that the company should contribute to financial redress for victims.
The public inquiry into the scandal also heard that Fujitsu knew of faults in the system it used to extract data on Post Office transactions, subsequently used in the prosecution of hundreds of post office operators, as early as 2008. Evidence presented to the inquiry suggested bosses at Fujitsu were concerned at the time that defence lawyers “may spot and call into question the integrity of our data”.
Sangha, who changed departments in 2017, was one of a small team responsible for processing queries on post office operator transactions known as audit record queries (ARQ). She was asked if she was aware that Horizon IT data was still requested and used in current court proceedings.
“Yes, yes I think it is,” she said.
Emails shown to the inquiry between Fujitsu managers and the fraud and litigation team, which investigated transactions that failed to complete on Post Office systems, revealed that Fujitsu knew about a string of ongoing problems that it did not reveal.
Problems that Fujitsu found included as many as one-third of transactions being duplicated with some fixes involving “manual workarounds”, which the company knew if exposed could call into question the integrity of the data and therefore prosecution cases.
“In essence we have a problem with the ARQ extraction tool,” said one executive in one of a number of email exchanges shown at the inquiry covering the period 2008 to 2010. “If we do not fix this problem our spreadsheets presented in court are liable to be brought into doubt if duplicate transactions are spotted.”
Problems with the system were variously referred to as “inherently insecure” and “endemic”. In 2010, it emerged that a so-called “fast ARQ” method developed to collect the data did not distinguish duplicate transactions when it was handed over to the Post Office.
“The customer [Post Office] and indeed the defence and court would assume that the duplicates were bona fide transactions and this would be incorrect,” stated an email in 2010. “There are a number of high-profile court cases in the pipeline and it is imperative that we provide accurate records. Defence teams may spot this and call into question the integrity of our data. This will call into question the reliability of the evidence presented by the prosecution team.”
Fujitsu executives hoped to present data to make prosecution evidence “more consistent”, in an effort to ensure hundreds of ultimately wrongfully brought cases would “go through smoothly”.
As part of this process it was decided at Fujitsu not to keep a “known error log” of the bugs, or disclose them to defence teams as they tried to fix them.
An email in March 2010, from principal security consultant Tom Lillywhite, raised an instance where the migration of a post office operator to the faulty Horizon IT system meant the ARQ data gathered about transactions at the branch should “bear a health warning”.
The email said there had been “technical issues with the migration which Post Office specialists are aware”, adding that “information gathered in respect to this particular ARQ may be subject to issues of integrity”.
“Any response from us would have to bear the health warning that there was no guarantee as to the integrity of the data provided by us,” Lillywhite added.
By 2013, Fujitsu employee Gerald Barnes admitted in an email there was a “serious flaw” spotted in the audit code and later that year Gareth Jenkins, the former chief architect at Fujitsu, said in an email there was a “significant bug affecting 13 branches causing some interest with high levels of management in the Post Office and Fujitsu”.
“At the time I didn’t see a concern,” said Sangha, who was not party to all the emails, on Tuesday. “It would have been dealt with by more senior technical people that had more of an understanding. I saw my role as just processing ARQs.”
