Comment permalink

Finance Minister Grant Robertson says he is "very disappointed" that Treasury didn't find out more about the Budget breach before calling in the police.

Robertson's comments came after National leader Simon Bridges this morning blasted the Government and Treasury's "incompetent smear" job wrongly suggesting National had hacked Budget details.

• More Budget blundering as copies handed out early

"It shows deep dishonesty. Treasury has known since Tuesday exactly what happened and they covered it up to hide their incompetence. They have sat on a lie, calling the National Party criminal hackers and calling in the police," Bridges said today.

His comments follow confirmation today that sensitive Budget information made public by National was not hacked from the Treasury website but instead accessed legally.

The people who accessed Budget information from the Treasury website did not act illegally.

Treasury had made changes on Tuesday and people in Treasury have told him that they knew, but had continued to "lie", Bridges said.

Bridges said the Treasury Secretary Gabriel Makhlouf - who has already resigned to take a job in Ireland - must resign.

He said Robertson was "donkey deep" in this and had been briefed by Treasury. Robertson was responsible and must resign, Bridges said.

"He does not have the moral authority to deliver the Government's Budget today."

He accused Robertson of lying and unfairly smearing National, and this morning repeated his call for Robertson to resign.

Robertson has said he will not resign, and responded this morning: "I'm very disappointed that confidential Budget information was able to be accessed in this way. I am also very disappointed that the Treasury did not seek to find more information as to how this happened before referring the matter to the Police.

"I now await the inquiry of the State Services Commissioner into this matter."

In his stand-up this morning Bridges said Winston Peters had claimed he knew what happened with the so-called breach and that it was illegal.

He said if Peters had any integrity, he should publicly apologise.

Bridges said National staffers had used the search bar on the Treasury website and searched for 2019/20, and Budget information came up.

"Any member of the NZ public could have done this if they had an interest in the Budget, from your grandson to your grandma," Bridges said.

Makhlouf had compared this to an attack on a padlocked door, but Bridges said it was more like putting information in the street with a sign on it saying "free to a good home".

Bridges said Makhlouf was being dishonest because it was clear that Treasury knew what had happened on Tuesday.

He defended National staffers going looking for the information on the website, saying the only wrongful behaviour came from Treasury, Robertson and Peters.

"The Deputy PM of New Zealand came out and accused me of criminal behaviour. That is disgraceful," Bridges said.

That had prompted him to reveal this morning how National had come upon the information. He said Treasury was not only sitting on a lie, but had compounded it.

Bridges said it was not believable that Robertson did not know what had happened when he asked National not to release any more Budget information.

Police confirm Treasury website access 'not unlawful'

Instead, they appeared to have used a search tool on the Treasury department's website, which "does not appear to be unlawful", police advised Treasury.

The person or persons were able to "exploit" the system because Treasury staff had been preparing a clone website in the background that they intended to swap over with the live website on Budget day.

To do this they began uploading some Budget information onto the clone site.

Although not publicly accessible, some of the information could be seen when a search was made on the website.

Investigations into what happened showed about 2000 searches were made for Budget information.

"The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public," Treasury said.

"Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information.

"Three IP addresses were identified that performed [in the Treasury's estimation] approximately 2000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.

"The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus."

The news comes after speculation had begun to mount that the leak of Budget information was more a "cock-up" than hack.

NZ Herald tech writer Juha Saarinen found screenshots of a Google search for "estimates of appropriation 2019/2020" circulating on Twitter suggesting the data was publicly accessible.

Treasury Secretary Gabriel Makhlouf had said yesterday that there were more than 2000 unauthorised attempts to get Budget-related information from its website.

National leader Simon Bridges - whose party had released information - was quick to fire back yesterday, saying claims documents were hacked from Treasury was a lie.

He attacked a "bungling, incompetent" Government over the early release of the sensitive Budget details and stressed his party had obtained its information legally.

The State Services Commission will undertake an inquiry into the matter after being asked by Makhlouf to check on "the adequacy" of security around the Budget.

"Unauthorised access to confidential budget material is a very serious matter," State Services Commissioner Peter Hughes said.

"This is a matter of considerable public interest and I will have more to say as soon as I am in a position do so."

Hughes asked the Government Chief Information Security Officer and Chief Digital Officer to "provide assurance that information security across the Public Service is sound".

"This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information," Hughes said.

Treasury and GCSB's National Cyber Security Centre were working on establishing the facts of the incident, Treasury said in a statement.

"While this work continues, the facts that have been established so far are:

• As part of its preparation for Budget 2019, the Treasury developed a clone of its website.

• Budget information was added to the clone website as and when each Budget document was finalised.

• On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.

• The clone website was not publicly accessible.

• As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.

• The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.

• As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.

• A large number (approx. 2000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.

• The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote.

• This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.

• At no point were any full 2019/20 documents accessible outside of the Treasury network.

"The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day."

Makhlouf said in his view "there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data.

"Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."

The Treasury took immediate steps on Tuesday to increase the security of all Budget-related information.

Makhlouf asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.