Treasury concedes it wasn't unlawfully hacked; Robertson 'very disappointed' that information could be accessed; Bridges calls for Robertson and Makhlouf to resign for 'sitting on a lie'

Treasury concedes it wasn't unlawfully hacked; Robertson 'very disappointed' that information could be accessed; Bridges calls for Robertson and Makhlouf to resign for 'sitting on a lie'

Treasury, having previously accused someone of hacking its systems, concedes the way information was retrieved from its website ahead of the Budget was not unlawful.

Treasury said it made a clone of its website and uploaded Budget information to this clone. However this information was able to be found via its public website if the right words were searched.

Treasury at 5am on Thursday sent out a media release explaining this, after National on Wednesday night notified media it would hold a press conference at 8.45am, reportedly revealing details around how it got its hands on Budget information.

Finance Minister Grant Robertson said on Thursday he was “very disappointed" that confidential Budget information was able to be accessed in this way.

“I am also very disappointed that the Treasury did not seek to find more information as to how this happened before referring the matter to the Police. I now await the inquiry of the State Services Commissioner into this matter."

In his press conference National Leader Simon Bridges explained how his party stumbled upon the information by simply typing "2019/2020" and then an area of government spending, like "purchase of assets", in to the search bar on Treasury’s website. 

However Treasury on Tuesday went to the Police claiming it been “deliberately and systemically hacked”.

Bridges claimed that had he not come out with National’s side of story, Treasury would’ve continued to sit on its “lie” that it was hacked, even though it was aware of the search flaw.

For this, he called for Treasury Secretary Gabriel Makhlouf’s resignation, as well as the resignation of Robertson.

Makhlouf is in any case leaving to take up a new job as Governor of the Central Bank of Ireland. Makhlouf’s last day at Treasury will be June 27 – the date gazetted when he was appointed in 2016 to his second term in the role. He will start at the Central Bank of Ireland in September.

Bridges said Robertson was "donkey deep" involved and didn’t have the "moral authority" to deliver the Budget. 

“This is the most contemptible thing I’ve seen in New Zealand politics,” Bridges said.

Treasury conceded there were “deliberate, systemic and persistent” searches of its website that were “clearly not intended to be public”.

“Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information,” Treasury said.

“Three IP addresses were identified that performed (in the Treasury’s estimation) approximately 2,000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.

“The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus.

“The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day.”

The Police won’t be pursuing the matter further, but Treasury has asked the State Services Commission to do an inquiry.

Makhlouf said: "Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."

State Services Commissioner Peter Hughes said while there was no evidence of a system-wide issue, he had asked Andrew Hampton, the Government Chief Information Security Officer, to work with the Government Chief Digital Officer, Paul James, to provide assurance that information security across the Public Service was sound.

“This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information,” Hughes said.

“The inquiry will seek to understand exactly what has happened so that it doesn’t happen again.”

Treasury said that having worked with the GCSB’s National Cyber Security Centre, these were the facts it had established:

- As part of its preparation for Budget 2019, the Treasury developed a clone of its website.

- Budget information was added to the clone website as and when each Budget document was finalised.

- On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.

- The clone website was not publicly accessible.

- As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.

- The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.

- As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.

- A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.

- The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote.

- This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.

- At no point were any full 2019/20 documents accessible outside of the Treasury network.

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

65 Comments

Comment Filter

Highlight new comments in the last hr(s).

So pretty much as had been surmised. Treasury needs to tighten its web development processes slightly, but little fallout from this failing.

Does anybody out there feel, like me, that our civil service, national and local, is all about authority and little about responsibility!

It's safe to say that Treasury is incompetent, and they have provided indisputable evidence of that. The clone of the website should not have been accessible publicly by any means. It should have been on a private network with external traffic blocked.

I'm not sure that the GCSB or any other IT related security agencies can really help with this. The weakest link in the security is the humans that are in charge. They should be replaced with people that have a more serious and security based understanding of data. For the money they are paid they could easily hire competent upper management.

So no fallout from the smears on the opposition, the potential use of a police complaint about sophisticated hacking to silence an opposition who just looked for the data? How convenient.

I might be wrong. Seems media are far more energised about this than I expected when I made that comment. Peters on top of his usual BS and bluster made accusation of criminality in a press conference - might be legally actionable. Makhlouf seems to have misled with his statements - but he is already off to pastures new so not sure there will be any censure. Robinson is going to get hammered for a few days but Ardern has set an incredibly low standard where ministers basically have to commit crimes before they lose their Ministerial warrant.

...agreed. The public have real day to day struggles on their plate without worrying about some boring budget released a few days earlier than it would have been.

Upshot is, Treasury had a security flaw and National operatives found it, then conducted a series of searches to exploit the flaw, then proceeded to leak this embargoed information to the public rather than advising the Treasury - a government body of its security flaw. Highly unethical of National at best. Instead of reporting a bug in a government website they proceeded to exploit it repeatedly to get hold of then release information that was not public nor intended to be.

Whether National's actions were legal seems up for debate. It seems like it would come down to establishing that the person accessing the resource knew what they were doing was dishonest or did so with the intent to deceive.

http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM330422.html

http://www.nzlii.org/nz/other/nzlc/report/R54/R54-Appendix.html

That said, National seems unlikely to face serious investigation in today's climate.

15
up

So the most basic explanation of how Nats got their hands on some budget information before it being released was correct. Ineptitude of some Treasury employees in the process. And Treasury went out of its way to blame someone for a "criminal" activity nonetheless instead of honestly fronting the matter (which after all was not a major issue in its own right). That just shows that senior government staff have very wrong mind-sets.
Treasury should never have pointed fingers before getting to the bottom of it first. If I was Makhlouf, I would have said:
"We are not sure what has happened yet. We will need sometime to ensure that we know what has happened before we can make a public comment on it. " Not the crazy "we have been hacked" story that is really embarrassing.

"So the most basic explanation of how Nats got their hands on some budget information before it being released was correct."

Not quite. This required use of the Treasury search engine, not Google's cache, and they had to repeatedly search for specific terms in order to get little snippets of information each time, not complete documents.

Public search engine, not even the basic thought evident on the website to drop or disallow search terms containing "19/20" string until after the embargo was lifted, pure amateur hour....

15
up

This is a much bigger debacle than is being made out.

The comments by Gabriel Makhlouf yesterday, were clearly lies. They were not hacked, it was not illegal, it was incompetence. Treasury would have known this, and should have just immediately done a mea culpa.

Roberston also will have been aware, and again should not have stated that it was illegal.

Originally I was of the opinion only Makhlouf should stand down, but reviewing what has happened. Roberston really should be gone as well.

12
up

Not to mention Winston, who made a complete tit of himself as well with his comments.

Winston seems to get away with it, somehow.

If the boot was on the other foot with Winston being incorrectly criticized as having acted illegally then we would be a defamation case well underway by now.

Makhlouf is already leaving - has new job in Ireland. An adherent of the Winston Peters/Donald Trump bluster, accuse and mislead handbook of media management.

"Roberston also will have been aware, and again should not have stated that it was illegal."

No, Robertson only knew what Treasury told him. If they told him they were hacked and didn't say how it happened, then he wouldn't have been aware of what actually happened.

What - Treasury misleading a minister? Then heads in Treasury must definitely roll.

And it appears they deliberately wasted police time by knowingly reporting a non-crime as a diversionary tactic - they could (should?) be charged.

Funny.. that was my thought too... hasn't treasury simply wasted police time? Bridges has suggested what they had found was taken off the website later so Treasury knew they had a flaw.... yet then engaged the police to do what?

More importantly, a Government department must be seen to be non-partisan. To at least imply - if not - make a false accusation against a political party breaks this premise for which Makhlouf needs to take full responsibility for. Whether Makhlouf is leaving in June or not, he needs to do the honourable thing and immediately resign; if not be sacked.

Sheer incompetence wrapped up in duplicitous behaviour. I have lost all respect for Treasury and those involved while Bridges has gone up in my estimation (to be fair, the only way was up).

Well some poor vendor will be being fired this morning @ Treasury for mucking up the clone of the public website. Leaving the search index pointing at production is clearly incompetence - they could well be up for legal action.

To be fair though, said vendor would have been instructed by the IT team over there - who are just as culpable - this is an unfortunate error, but it's one that should have been caught by any proper release/test process.

But as the IT management folk are likely FTEs it will be the poor vendor who is scapegoated. As to which one - could be any of the web vendors on the CWP list - will be interesting to see if they're offered up to the media as sacrificial lambs anytime soon.

If this was a 'real' workplace and an employee had accessed information about a rival and leaked it for personal advantage, it would have been summary dismissal. In the eyes of anyone with a brain, Bridges is the loser here. The 'leak' was worthless in the first place, it was morally and ethically wrong to exploit the information, and now to try and claim the moral high ground is shambolic. He's an out and out loser. This government is an easy enough target without resorting to crap like this. Bring back Bill.

You do realise Bridges has effectively dominated the news cycle in opposition in Budget Week? When was the last time that happened.

They didn't look up confidential personnel information, they used a search function on a website. Calm your farm.

The fact people are overlooking all the civil service and Governmental incompetence that lead to this point in order to slander Bridges for just doing his job incredibly effectively (arguably for once) speaks to their true colours.

Luckily, the information was worthless. Had it been more sensitive, the national interest could have been harmed (oh, that's a pun). Yes, Bridges has dominated the news cycle, but not in a good way. He looks like a blow hard desperate to save his own skin. And my farm is ploughed,,planted and waiting for the spring, thanks.

Not certain I agree with you on this. If I go onto a companies website and find information on the site, a should be able to use this information. It is up to the company to protect their information. The lies about the "hacking" of the information are far more serious in nature. There should be serious consequences for knowingly lying.

The early release of a subset of the information is a bit of a tempest in a teapot in my opinion. Going to the police with a false claim of unlawful behavior, well, there should be some personal accountability. Whoever initiated that should be fined the costs incurred at a minimum. Accountability shouldn't be something only found in a dictionary.

Yes I agree - Labour/Treasury do not look good at all.

But in saying that I think Simon actually stuffed up in his "release". He could of really stirred up some trouble if he had focused on the incompetency rather than the haha - we have it angle he went with.

There was nothing controversial in the stuff released. Highlighting and re-enforcing the incompetence that lead to the release, would IMO have been a lot more politically damaging to the coalition.

Agreed. Bridges appears to not be adept at the political game. I can accept this. What bothers me more is his lack of clear focus on getting the job done. Then again, an opposition leader apparently is not to be liked. I disliked Little when he was opposition leader, for some of the same reasons as why I currently dislike Bridges. Now that Little isn't opposition leader he is more palatable. The role of opposition leader engenders dislike.

That said, if he took your route, I'd dislike him even more... I'd rather he focuses on substance instead of chasing errors that do not have much effect outside of the egg on face aspect. There is some amazing partisan blinders shown in various comments on this article, which suggests to me that some only see errors in their perceived opponents and only goodness in "their" team. Sadly, some of the more partisan comments come from academicians, who should be a bit better at being objective.

Yeah, I watched his press conference this morning. He stated it was a National Party operation - bringing the whole organisation - both the caucus as well as the party into disrepute. We need an opposition that spends their time on alternative policy/governance options, as opposed to underhanded psyops.

Using a search bar on a government website is 'Psyops'?

Unbelievable.

Well yes, as Toby Manhire explains:

If National has by this definition hacked the Treasury website, then I have hacked, for example, the Australian newspaper or Google books. In both cases a paywalled, or unavailable, part of content can be generated via a search field, and if you’re desperate enough you can cobble together full passages by tweaking the precise words of the search.

Desperate being the operative word. Around 2000 different search attempts desperate. Who has that kind of time? And my guess is given it was a Parliamentary services IP address, you and I paid for that desperation.

I note that you are no longer peddling conspiracy theories about Bridges being the "patsy" in this . Good.

Frankly, I wish I had been correct, in that that way he would not have been culpable for the unethical act - he would just have been a patsy passing on a leak. A harmless idiot. But no, he's an admitted purveyor of embargoed information. By any definition it's a cyber attack;

"It's very unsophisticated, but if that's your target and no-one is meant to get hold of it then it's an attack."

But of course you do wish that ; you should try and control your wishful thinking tendency though - not just on this particular subject.

What's wrong with wishing that people in positions of power had better morals?

I suspect your moral standards only apply to people you disagree with. Did you also complain about the actually illegal hacks of Brash and Slater? Or is it different when the left do it?

Nicky Hager is not a Parliamentarian, he's a journalist who focuses his work on exposing political wrong-doing regardless of political affiliation. Different matter altogether from a moral perspective. Just as when Woodward and Bernstein broke the Watergate scandal - understanding the truth was in the public interest. Just as Dirty Politics was.

Simon Bridges wasn't exposing some kind of illegal or immoral activity carried out by the government of the day. Completely different matter altogether.

Moreover I'm glad someone did hack Slater as it did serve to expose and bring down that kind of gutter politics. If you want it back Foyle, I think you and Simon would be in the minority.

You may be projecting there.

It is not a good look is it? National look like spoiled kids. Treasury look unreliable, Robertson and Peters and Ardern have egg on their faces.

The conclusion? "Any organisation tends to be run primarily for the benefit of those running it" comes to mind.

Herewith the original, hilarious and incisive C. Northcote Parkinson article, well worth the read:
https://www.economist.com/news/1955/11/19/parkinsons-law

Gabriel Makhlouf keeps using the word "hack" - I don't think he knows what that word means. The actual word he should of used is "incompetent". The Treasury is incompetent; that's what actually happened. However, did he lie, knowing it was not a hack, or he is incompetent too.

There is no chance a heavy hitter such as him would have confused a hack with a straightforward retrieval of information easily available on treasury’s website. So either he and his high powered cyber advisers didn’t have a clue what had occurred and were just guessing when they called in the cops, or else his actions have political undertones ie, either incompetent or sinister.

I agree, but I always assume incompetency until proven otherwise. I assume Mr. Makhlouf is boomer with a vague understanding of IT matters. Calling the police seems like an over-reaction and the police quickly dismissed any illegality.

He's been at Treasury since 2011. He is very competent, but probably not used to receiving this amount of heat - and made a bad call in a crisis. It happens.

I don't his competency for Treasury and I am sure he will do well at the Bank of Ireland but that doesn't mean he is competent in all areas.

So no hacking, just incompetence and lies by treasury and the government. Well at least it drowned the admission by Twyford that KiwiBuild will not even reach 10% of its target!

Yvil. You clearly didn’t get the memo from the mother of the nation that the words kiwi and build will henceforth not be used together. Phil is about to be photoshopped out of previous coalition cabinet photos. Soon he and the program whose name shall not be said will never have existed.

Peters yet again is allowed by media to make deeply serious insinuations against the opposition, with no consequences when they are subsequently proven to be well wide of the mark. And now it has emerged that when Robertson made similar dark allegations he almost certainly knew that Makhlouf’s police complaint was unfounded, where are the searching cross examinations of him by media?

The Police know they would be laughed out of court, and they have no reason to engage in a cover up for the failures of Treasury.

Must be the same web developer who built REINZ website! You used to be able to get all sorts of sales data from their search engine.

Yes, it was quite clearly unlawful and would have been instant dismissal had an employee done something similar. The important thing here is that what was released was so hot-hum, not in the public interest and the only real fallout is that it shows how low this appalling opposition is prepared to stoop. Once again, Ardern has claimed the high ground.

"clearly unlawful" ? - the police think the opposite but of course you know better.

No, I was merely repeating the opinions of several high profile lawyers as reported on another website. I have some experience in law, though, and I would tend to agree with them. Lower scale offending though, more an ethical issue. By the way, apparently Bridges has gone into hiding at a foreign embassy and set up a site called Kiwileaks...

The comments made in the article when tested in court and subject to expert evidence would not survive scrutiny.

However I understand since the publication of the article the Finance Minister has placed a copy of the budget outside Simon Bridges office door and is waiting for him to break the law by picking it up. Perhaps it's best to ignore the sad and desperate defense that the Government is trying to use.

It is most definitely in the public interest to have information on the government's decisions put out without the government's spin, however inconvenient that may be to the ambitions of the government. Oppositions role is to act as critics and auditors of the government's decisions, not to aid them in their efforts to 'control the message' via their Ministerial staff propegandists as they work to be re-elected.

Oh please.

We can debate how National played this out... but what should be the focus is the incompetence of Treasury here.

If the information National disclosed was publicly available, who else has accessed it? How this information is held and managed is critical and Treasury have completely dropped the ball. Robertson as Fin. Minister is responsible for Treasury and has to demand accountability. I think National are going to far asking for Robertson's head... but Makhlouf's persistent claims of underhanded 'attacks' and getting the police involved surely leave his position untenable.

"If the information National disclosed was publicly available, who else has accessed it?"

That's the key. The information was publicly available. Using Makhlouf's own example. i.e. the bolted room.

It was not in a bolted room/private residence. Where someone jimmied the door open.

Rather the document had been bolted to a bench in a public park, and some of the pages could still be turned.

Yup.. totally.. Robertson needs to muzzle Makhlouf.. he is just making a fool of himself.

Two things: 1) This is huge. The blatant cover-up by Treasury, the lies about being hacked, the knee jerk ultra-defensiveness, and the arrogance of assuming the public would swallow the lies, casts doubt about the integrity of the Treasure itself. Who now can trust any figures they produce? This incident has torn the very fabric of the socio-political-democratic contract. 2) It shows a civil service/ govt spin doctor brigade that is (surprisingly in the case of the latter) woefully out of touch with the internet age. Once you can get info on a relatively simple search in the public domain, baby, it is out there, it is anyone’s! Dragging the cops into this is sort of an insult to any Kiwi surging the net right now. Your actual normal person is laughing their heads off at this.

I guess it's fair to assume that if I lost my wallet somewhere Simon Bridges and the National party would be the last people I want to time it. I certainly would not expect it or it's contents back and most likely they would be spread all over the pavement.
Edit to not I also wouldn't be leaving it for Treasury to look after.

Bad analogy. Does someone seeing the Mona Lisa in the Louvre somehow diminish the value of the Mona Lisa? Someone else seeing information does not mean the original owner no longer possesses it.

Seeing it then handing out the contents to others you mean.
I still wouldn't trust him to hand my wallet back untouched

Good point re it not being stolen. Remember the silly comments about "stolen" emails when Dirty Politics was released, when it fact the emails were never removed from the original holders' possession. But it was all the rage then to screech that they were stolen.