Treasury, having previously accused someone of hacking its systems, concedes the way information was retrieved from its website ahead of the Budget was not unlawful.
Treasury said it made a clone of its website and uploaded Budget information to this clone. However this information was able to be found via its public website if the right words were searched.
Treasury at 5am on Thursday sent out a media release explaining this, after National on Wednesday night notified media it would hold a press conference at 8.45am, reportedly revealing details around how it got its hands on Budget information.
Finance Minister Grant Robertson said on Thursday he was “very disappointed" that confidential Budget information was able to be accessed in this way.
“I am also very disappointed that the Treasury did not seek to find more information as to how this happened before referring the matter to the Police. I now await the inquiry of the State Services Commissioner into this matter."
In his press conference National Leader Simon Bridges explained how his party stumbled upon the information by simply typing "2019/2020" and then an area of government spending, like "purchase of assets", in to the search bar on Treasury’s website.
However Treasury on Tuesday went to the Police claiming it been “deliberately and systemically hacked”.
Bridges claimed that had he not come out with National’s side of story, Treasury would’ve continued to sit on its “lie” that it was hacked, even though it was aware of the search flaw.
For this, he called for Treasury Secretary Gabriel Makhlouf’s resignation, as well as the resignation of Robertson.
Makhlouf is in any case leaving to take up a new job as Governor of the Central Bank of Ireland. Makhlouf’s last day at Treasury will be June 27 – the date gazetted when he was appointed in 2016 to his second term in the role. He will start at the Central Bank of Ireland in September.
Bridges said Robertson was "donkey deep" involved and didn’t have the "moral authority" to deliver the Budget.
“This is the most contemptible thing I’ve seen in New Zealand politics,” Bridges said.
Treasury conceded there were “deliberate, systemic and persistent” searches of its website that were “clearly not intended to be public”.
“Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information,” Treasury said.
“Three IP addresses were identified that performed (in the Treasury’s estimation) approximately 2,000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.
“The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus.
“The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day.”
The Police won’t be pursuing the matter further, but Treasury has asked the State Services Commission to do an inquiry.
Makhlouf said: "Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."
State Services Commissioner Peter Hughes said while there was no evidence of a system-wide issue, he had asked Andrew Hampton, the Government Chief Information Security Officer, to work with the Government Chief Digital Officer, Paul James, to provide assurance that information security across the Public Service was sound.
“This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information,” Hughes said.
“The inquiry will seek to understand exactly what has happened so that it doesn’t happen again.”
Treasury said that having worked with the GCSB’s National Cyber Security Centre, these were the facts it had established:
- As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
- Budget information was added to the clone website as and when each Budget document was finalised.
- On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
- The clone website was not publicly accessible.
- As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
- The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
- As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
- A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
- The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote.
- This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.
- At no point were any full 2019/20 documents accessible outside of the Treasury network.