State Services Commission reprimands outgoing Treasury Secretary Gabriel Makhlouf for the way he characterised the Budget 'leak' but clears him of acting with political bias

State Services Commission reprimands outgoing Treasury Secretary Gabriel Makhlouf for the way he characterised the Budget 'leak' but clears him of acting with political bias
Gabriel Makhlouf illustration by Jacky Carpenter

A State Services Commission investigation has found outgoing Treasury Secretary Gabriel Makhlouf’s response to the Budget “leak” saga was "clumsy" but "not a sackable offence". 

Deputy State Services Commissioner John Ombler found Makhlouf “acted in good faith, reasonably and without political bias” in relation to the advice he gave the Finance Minister and his decision to refer the matter to the Police.

However Ombler concluded Makhlouf “did not act reasonably” in relation to the way he characterised the leak.

He said Makhlouf’s use of the phrase “deliberate and systemically hacked” in a media statement was unreasonable, as was a "bolt" analogy he used in an RNZ interview, which gave the impression Treasury’s systems were very secure.

He also called out Makhlouf’s continued focus on the conduct of those searching the Treasury website, rather than Treasury’s failure to keep the information confidential.

The Budget “leak” saga stemmed from National, days before the release of the Budget, releasing Budget information it had obtained. Treasury’s response was that its website had been “hacked”. But as it turned out, a weakness in its IT system meant that confidential Budget information could be obtained through simple searches on its website.

State Services Commissioner Peter Hughes concluded Makhlouf's management of the issue fell “well short” of expectations, but was "not a sackable offence".

He said Makhlouf didn't offer to resign over the matter, nor did he accept the Commission's findings. Hughes wouldn't say whether he expected to receive an offer of resignation.

“The right thing to do here was to take personal responsibility for the failure irrespective of the actions of others and to do so publicly. He [Makhlouf] did not do that,” Hughes said.

He said Makhlouf should have sought more advice before issuing a media statement about Treasury’s referral of the matter to the Police.

“It was a clumsy response to a serious issue and is not what I expect of an experienced chief executive,” Hughes said.

"The breach of security around the Budget documents should never have happened, under any circumstances.”

Pressed in a media conference over why he didn’t come down harder on Makhlouf by more formally reprimanding him, Hughes noted the international media coverage of the matter had “significantly damaged" Makhlouf's reputation; a reality that "weighs heavily on him".

He said he had done all he could, but couldn't run the public service on the basis of "you're only as good as your last offence". 

National responded to the Commission's findings saying Makhlouf should've offered his resignation. It said questions also needed to be asked of Finance Minister Grant Robertson who is ultimately responsible for Treasury.

It said Robertson should at the very least apologise to New Zealanders, having linked Makhlouf's comments about a "hack" to National.

Robertson reiterated his "disappointment" over Treasury's systems being able to be accessed, but said the report showed "all those involved were acting with the information available at the time".

Today is Makhlouf’s last day at Treasury. He is due to become the governor of Ireland’s central bank.

The Commission is undertaking a separate inquiry, requested by Makhlouf, into how the Budget material was accessed. This will look at the adequacy of Treasury policies, systems and processes for managing Budget security.

Here is Robertson's full statement:

“We welcome the State Services Commission report on unauthorised access of the Treasury website and note its findings. It confirms the Government’s description of events,” Finance Minister Grant Robertson says.

“Overall it showed all those involved were acting with the information available at the time, and in good faith, and that the Treasury acted without political bias.

“I want to reiterate my disappointment that the Treasury system was able to be accessed in this way and I look forward to the outcome of the inquiry into that.

“Our focus continues to be on the delivery of the Budget and rolling it out,” Grant Robertson said.

Here is National's full statement: 

Treasury Secretary Gabriel Makhlouf should have offered his resignation following the early release of Budget information, and at the very least should apologise for how he handled it, Deputy Leader of the Opposition Paula Bennett says.

“Mr Makhlouf had a responsibility to keep Budget information confidential. It is disappointing that he has taken no responsibility for the incompetency he has shown.

“It is clear the State Services Commissioner Peter Hughes felt he should offer his resignation. If Mr Makhlouf wasn’t already leaving, his position would be untenable.

“He will now likely leave the country, having collected a remuneration package of at least $640,000 a year, without any public apology for overseeing one of the biggest blunders in the Treasury’s history. The New Zealand public deserve better.

“Questions now need to be asked of Finance Minister Grant Robertson. He is ultimately responsible for the Treasury and the Budget, and the buck stops with him. It’s clear he did not ask the right questions of Mr Makhlouf and only heard what he wanted to hear – which was that the National Party was engaged in systematic hacking. He was happy to sit on that lie for more than 36 hours. He has never corrected his false statement.

“Mr Robertson is the one who publically linked the National Party to a false hacking claim. Given Mr Hughes felt it appropriate for a resignation to be offered by Mr Makhlouf, the Prime Minister should expect the same level of accountability from her Finance Minister.

“At the very least, Mr Robertson owes an apology to all New Zealanders, not just the National Party.

“The handling of this by the Treasury and the Minister has been incompetent. New Zealanders deserve better from what is arguably this country’s most important and influential Ministry.”

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

26 Comments

Comment Filter

Highlight new comments in the last hr(s).

Easy to understand for someone without a sound understanding of the technology. After all the filters of the information before it got to him (through the layers of management) he placed his own interpretation of what he was told based on his level of understanding (another filter). He probably didn't even know the right questions to ask, and his advisers either did not realise that when they possibly should have or deliberately chose to leave him in the dark, which would be troubling.

His lack of understanding of technology is so poor that he is not fit to be in charge of a critical organisation such as Treasury. The pay he was receiving means that having less understanding than a typical dairy owner is not acceptable.

Not once have I seen the word "hack" defined in the media coverage of this conflagration.

Hack, according to Oxford means "Gain unauthorized access to data in a system or computer."

Leaves a lot of grey area and a lot up to assumptions and interpretations.

This is what the Commission had to say in its report about the definition of the word "hack":

Also central to this investigation is whether it was reasonable to describe the Incident as a “hack”, more particularly the phrase “deliberate and systematic hack”. I have therefore considered the meaning of that word from various perspectives.

A search of New Zealand legislation and legislation in other countries has not revealed any legal definitions of hack or hacking; the word does not appear in New Zealand’s Crimes Act.

The Oxford Dictionary defines the word as: Hack (n) – the act of computer hacking. Hacking – the gaining of unauthorised access to data in a system or computer.

The Merriam Webster Dictionary defines the word as: Hack (n) – an act or instance of gaining or attempting to gain illegal access to a computer or computer system.

The Cambridge Dictionary defines the word as: Hack (v) – to access someone else’s computer system without permission in order to obtain or change information.

The Collins Dictionary defines the word as: Hack (v) – if someone hacks into a computer system, they break into the system, especially in order to get secret information. Hacking (n) – the common and often illegal art of computer hacking.

The New Zealand Police website states: Computer intrusion, commonly referred to as hacking is gaining unauthorised access directly or indirectly to a computer system which can include a desktop, laptop, smart phone, tablet, server or other device regardless of whether it is connected to the internet or not.

As can be seen from these different definitions, the words hack and hacking do not have a single precise meaning. In particular, they differ as to the degree of difficulty involved (“access” versus “break into”) and in whether the unauthorised access is to information or a system. Further, it appears “hacking” could be legal or illegal.

Thanks Jenée, now I've seen it defined in media. Obviously part of what makes Interest.co.nz a superior source of news these days to many of the traditional players.

The best bar none in NZ

?Tend to agree, but this also raises some troubling questions about the culture there. I think Jenee may have written an article on that concern?

Woops Sorry Eric. Thanks jenee.

one word. Hubris! Can’t imagine though, that he would be the only identity in the lofty circles of power, afflicted as such.

At least he's gone and we can watch Ireland be run into the ground a second time. It's not just that he didn't act reasonably but the fact that actually dealing with any issue is demonstrably outside of his competence. He clearly has no experience in dealing with issues and resolving them, especially when he ignored advice both internally and externally. This leaves me wondering what other disasters he created inside Treasury in his time there.

The key statement is "Makhlouf’s continued focus on the conduct of those searching the Treasury website, rather than Treasury’s failure to keep the information confidential."
Clearly "accountability" is not high in his operating framework; don't look to accept any responsibility, just attack and shift blame.

Information security ranked very low, even though the potential to embarrass the Government was high.

Well there's a classic Wellington bureaucratic whitewash if ever you've seen one; bus ticket treatment on the bloke who was leaving anyway. At least it let them put some distance between Budget Day and the actual question of interference.

A Web Site Hack is different to a Main-Frame Server Hack

As a web-site owner for 30 years, and as a Google web-master for 5 years back in the oughties, a hacker could simply try variations of indexed URL's looking for non-indexed private documents, and if they were persistent they could spend a whole day and rack up 2000 attempts easily

That is "hacking"

When this event first errupted and it was later claimed there hadnt been 2000 attempts it occurred to me that someone inside of Treasury had conveyed to the National Party "hacker" the actual URL to the unpublished non-indexed document

That's what I thought

Anyway Makhlouf was advised by those who simply didnt know - he was shafted

Good point. Does seem like people have leaped to conclusions based on their own assumptions built on watching Whiz Kids years ago.

Actually the GCSB informed Treasury that it wasn't some sophisticated hacking attempt, and only search entries. When they decided to ignore the advice from the GCSB they informed Andrew Little of the absurd claims Treasury were going to make, who apparently did not act on that advice.

Makhlouf shafted himself by ignoring advice.

Ardern knew at least 24 hours before the govt finally came clean, that the public had been misled by Robertson but maintained that position for reasons unknown, until finally compelled to convey a narrative that Roberston had foolishly bought into Makhlouf's bolt nonsense. Meantime Peters ominous public warning that the 'hackers' had engaged in serious dirty work shows he was as muddled as Robertson about what had actually happened. Neither he nor Ardern have been put under any serious pressure by the media over this but their clumsy naivety is still obvious.

It's B-C grade professional behaviour to focus on fixing blame rather than fixing problems. Marklouf should have keep his focus on running his ship better rather than spin, He's come out far worse because of attempts to cover and divert when a mea culpa on behalf of staff responsible that would have defused it almost immediately.

"We were pretty focused on the new approach, obviously people have legitimately using the treasury website and found unannounced data in a way that we didn't expect to be visible. I've discussed it with the Minister and he stressed the need for security around Budget details and we both have the same expectation that, unfortunately we did not meet on this occasion".

- All that needed to bloody happen, 2019.

If I go to a website and do a search and it finds a document that is not a hack. Inputting various metadata items is a normal way of trying to find stuff that may be in places you dont expect. For a person whos been in the post 8 years earning lots more than the PM to suggest its a hack tells me that $5 million in salary was not good use of tax payers money. The people covering for him get paid even more, a pox on the lot of them and no medic care.

This would not rank up there with the worst misunderstandings of technology by people in high positions.

Isn't the hand wringing from National pathetic? Who appointed him?

You really are deliberately overlooking a lot of other people to lay blame at the feet of National here. They are not blameless, but the fact a political party did a poltical thing is far down the list of questions that potentially touch on competence and political interference in the public sector.

Definitely, but the average technological competence of our senior public servants (or senior anything, for that matter) is generally always going to be close to zero.

Oyrland must be wondering Wut the Fook they have let themselves in for......so.