For more than a decade, the Post Office told British courts, parliamentary committees, and the subpostmasters it was prosecuting that the Horizon accounting system was a closed shop — that no one at Fujitsu could reach into a branch’s accounts from the outside and change the numbers. It was a lie. Fujitsu engineers could, and did, alter live transaction data on branch terminals without the subpostmaster’s knowledge or consent, and internal records confirm the capability existed from the system’s earliest years of deployment.
That single denial — repeated under oath, in witness statements, in disclosure letters, and in prosecution briefs — is the load-bearing beam of the entire Horizon scandal. Pull it out, and almost every conviction collapses.
The denial that built the prosecutions
The Post Office prosecuted subpostmasters for theft, fraud, and false accounting. The evidence against them was almost always the same: Horizon said money was missing, and Horizon, the Post Office insisted, was right.
For that evidence to stand up in court, prosecutors needed one thing to be true. The shortfalls had to originate inside the branch. If anyone outside the branch — a developer, an engineer, a support technician — could quietly write to the same ledger the subpostmaster was being judged against, then the chain of custody on the numbers was broken. The prosecution’s central document, the cash account, would no longer be the subpostmaster’s account. It would be a document that other people had touched.
So the Post Office told the courts, again and again, that nobody else had touched it. Fujitsu, the contractor that built and ran Horizon, said the same. Branch accounts could only be changed by the person logged in at the counter. The terminal was sealed. The audit trail was complete.
What Fujitsu could actually do
Inside Fujitsu’s offices, a small team known as the Software Support Centre had a tool called, at various points, the “Support Tool Facility” and later balancing transaction injection scripts. Using it, engineers could insert transactions directly into a branch’s record on the central data centre. Those edits then flowed back to the branch terminal as though they had originated there.
The High Court judgment in Bates v Post Office set this out in language that left no ambiguity. The court found that Horizon contained bugs, errors, and defects, and that Fujitsu had the ability to inject, edit, and delete transactions in branch accounts. The judgment found that this had happened in practice, and that the Post Office’s repeated assurances to the contrary were wrong. The judgment is a matter of public record and remains one of the most consequential civil findings against a British state-owned company in modern history.
The Court of Appeal ruling in Hamilton & Others v Post Office went further. It described the prosecutions as an affront to the public conscience and quashed the first batch of convictions on the basis that the Post Office had failed to disclose what it knew about Horizon’s reliability. The remote access capability was central to that failure.
The internal email that ages badly
The Post Office Horizon IT Inquiry has heard testimony showing the denial was not a misunderstanding by people far from the code. Fujitsu employees who gave evidence in subpostmaster prosecutions in the 2000s knew the support tools existed. Some had used them. Internal emails disclosed to the inquiry show engineers discussing balancing transactions injected to “correct” branch accounts, sometimes without notifying the branch at all.
Silicon Canals’ full investigation documents how flawed software sent innocent people to prison based on false evidence.
Watch the full story on the Silicon Canals YouTube channel.
One Fujitsu witness had given expert evidence in multiple prosecutions stating that Horizon was robust and that remote alteration was not possible. The Court of Appeal found his evidence had been seriously misleading. He has not been charged with any offence. The inquiry’s findings on individual culpability are still being written.
Why the lie was operationally necessary
The Post Office had a problem long before it had a software problem. Branches generated thousands of small accounting discrepancies a week. Some were typos. Some were rounding. Some were genuine theft. Horizon, the Post Office’s auditors, and its prosecutors needed a way to make those discrepancies legible — to convert messy human-scale errors into clean prosecutable shortfalls.
Remote balancing transactions were how Fujitsu cleaned the data. An engineer would identify a stuck transaction, inject an offsetting entry, and the branch ledger would reconcile. From a technical standpoint, this was housekeeping. From a legal standpoint, it was catastrophic. Every cleaned-up branch was a branch whose accounts had been silently edited by a third party — and then, in some cases, used as the evidentiary basis for prosecuting the person whose name was on the contract.
Acknowledging that publicly would have required the Post Office to stop prosecutions, review past convictions, and refund disputed shortfalls that subpostmasters had been forced to pay out of their own pockets, often by remortgaging homes or borrowing from family. The institution chose denial.
The cost of believing the machine
Subpostmasters who insisted the numbers were wrong were told they were the only ones reporting a problem. That was also untrue — internal Post Office helpline logs, later disclosed to the inquiry, showed hundreds of branches reporting similar discrepancies — but it was the line each individual subpostmaster heard. They were isolated by design.
Some pleaded guilty to false accounting to avoid the harsher charge of theft. Some went to prison. The lead claimant in the civil case spent nearly two decades organising the subpostmasters into a coherent group. One subpostmaster was convicted of theft
