'Sometimes doing your best is not enough,' State Services Commissioner says on finding Treasury's systems were susceptible to security breaches at Budget 2018 as well as 2019

'Sometimes doing your best is not enough,' State Services Commissioner says on finding Treasury's systems were susceptible to security breaches at Budget 2018 as well as 2019

The State Services Commission has released its findings into how Budget 2019 material was accessed on Treasury's website before the budget was released. 

Here's a press release from the Commission:

The inquiry, led by Ms Jenn Bestwick, was launched by the Commission at the request of the Treasury after sensitive Budget information was accessed on the Treasury website two days before the 2019 Budget was to be announced on 30 May. Budget-sensitive material was accessed via searches on the Treasury website.

Assembling and publishing the Budget is a core responsibility of the Treasury.

The Commissioner said the Treasury’s failure to keep Budget sensitive information secure was not acceptable.

“This should not have happened,” said Mr Hughes. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”

 The inquiry found:

  • A series of technical decisions led to a design in the Treasury website search function, which allowed access to Budget 2019 information. The design also existed in the 2018 Budget, though there were no security breaches.
  • Governance and oversight at the Treasury’s executive level fell short
  • Risk management processes around Budget 2019 were not good enough
  • Concerns about security risks existed but were not escalated.

Mr Hughes said the Treasury has an excellent reputation as New Zealand's lead advisor to the Government on economic and fiscal policy, with very good people doing their best.

“But sometimes doing your best is not enough,” said Mr Hughes. “Some things you just need to get right. Each and every time. For these you need to check, check and check again and that didn't happen with security around Budget 2019.

“Senior leadership at the Treasury were rightly focused on the big economic and fiscal issues which are important to New Zealanders and the Government. That is what I expect. But they got the balance wrong. The Treasury’s core business is also delivering the Budget and I’m disappointed the senior leadership were not hands-on enough in that task.

“I am confident the new Secretary of the Treasury will provide the leadership to deliver the necessary changes to ensure this doesn't happen again.”

The Treasury, under new Secretary Dr Caralee McLiesh, has already implemented a number of changes that address many of the issues raised or findings from the inquiry.

Since the incident, Dr McLiesh has: 

  • appointed one of her executive leadership team members to personally oversee the security of the Budget
  • implemented new quality assurance measures around all aspects of the Budget process
  • implemented new security and testing policies
  • steps in place to ensure a replica Budget website will be fully and comprehensively tested prior to Budget day.

Dr McLiesh said the Budget production process for Budget 2020 is robust and secure, and in line with best practice and the appropriate guidance and standards. 

“The Budget is a core priority of the Treasury and what happened should never happen again,” she said.

“The Treasury accepts all of the inquiry’s findings. When I came into the job last September, the Treasury had already made a number of improvements and we have since initiated a programme of work to improve security processes around the Budget. A lot of the necessary changes identified in the inquiry report have been implemented or are already underway.”

National released this statement in response: 

A report released by the State Services Commission today shows that Finance Minister Grant Robertson is ultimately responsible for a failure to keep Budget sensitive information secure, National’s Finance spokesperson Paul Goldsmith says.

“The State Services Commission has today found that there were extensive failures from the Treasury around Budget security.

“Grant Robertson is the Minister in charge of Treasury. Although he’s tried to distance himself from the Botched Budget – the buck stops with him.

“Mr Robertson put out a statement at the time claiming that ‘Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a police investigation.’

“Mr Robertson swallowed the lines of his agency. He accepted their excuses, didn’t ask the right questions and even when it became clear he was wrong – he then doubled down.

“This is one of the biggest failures in Treasury’s history and it happened under his watch.

“State Services Commissioner Peter Hughes was right when he said ‘This should not have happened.’

“It’s time for Grant Robertson to accept responsibility for what happened and to apologise to National for implying we were involved in illegal activity. The reality is we were doing what a good Opposition does – highlighting the Government’s failures.” 

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.