30 May 2019

Budget breach didn't break the law - Treasury

12:50 pm on 30 May 2019

Treasury has confirmed that a feature in its website search tool was exploited by an unknown person or persons, but police have concluded this did not break the law.

Well Being Budget Printing

Photo: RNZ / Dom Thomas

The investigation found one of the IP addresses involved in the searches belonged to the Parliamentary Service.

In a statement released this morning, Treasury said a police investigation had concluded and they were not planning any further action.

But Treasury said the evidence showed "deliberate, systematic and persistent searching of a website that was clearly not intended to be public".

"Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information. Three IP addresses were identified that performed (in the Treasury's estimation) approximately 2000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.

"The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus."

Treasury will review its security, while the State Services Commission has also launched an inquiry.

Treasury and the GCSB's National Cyber Security Centre have found the breach involved a clone of Treasury's website, created as part of its preparation for the Budget.

Budget information was then added to the clone website when each Budget document was finalised.

On Budget Day, Treasury intended to swap to the live website and the clone website was not publically accessible.

Treasury said content was indexed to make searching on the site faster.

"Search results can be presented with the text in the document that surrounds the search phrase.

"The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.

"As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents."

About 2000 of the search terms were placed into the search bar looking for specific information on the 2019 Budget.

The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote. This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.

Treasury said "at no point' were any full 2019/20 documents accessible outside of its network.

Treasury Secretary Gabriel Makhlouf thanked police for the "prompt consideration of this issue".

"In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."

The State Services Commission has also launched an inquiry into how Budget material was accessed.

State Services Commissioner Peter Hughes said unauthorised access to confidential Budget material was a "very serious matter".

"Mr Makhlouf has asked me to investigate and I am considering my options. This is a matter of considerable public interest and I will have more to say as soon as I am in a position do so."

Mr Hughes said he had asked Government Chief Information Security Officer Andrew Hampton to work with Government Chief Digital Officer Paul James "to provide assurance that information security across the Public Service is sound", although there was currently no evidence of a system-wide issue.

"This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information," said Mr Hughes.

"The inquiry will seek to understand exactly what has happened so that it doesn't happen again."

Treasury's announcement came ahead of an 8.45am announcement from National Party leader Simon Bridges, where he is expected to reveal how the party received information it claimed was Budget documents.

National released the documents on Tuesday morning, claiming it was official budget information for 18 of the 40 policy areas. Finance Minister Grant Robertson has since repeatedly said in Parliament that some of the information in National's documents was correct, some was not.

Technology commentator Paul Brislen told Morning Report the actions of the person or people involved was probably illegal.

"Under the Crimes Act, unathauthorised access of a computer and unauthorised access of content is the crime itself. If you know you're not supposed to have access to this and you try anyway, then that is is the trigger point of whether it's legal or not as I understand it, and I'm not a lawyer, and this hasn't been tested in court."

He said it was not uncommon to build a clone version of the website to be pushed out to the public - it did not have important documentation but was a chance to test search functionality and accessibility features.

The information available was limited to headlines and small summaries and probably nothing sensitive, he said.

"But the idea that somebody is systematically trying as many searches as possible to see what they could get both from the look of it anyway within Parliamentary Services and then presumably from home that does raise alarm bells and presumably will be part of the investigation."

The three IP addresses would imply one person searching within Parliamentary Services and then other searches from a mobile and a landline - it was unclear whether it was the same person each time, Mr Brislen said.

Asked if was embarrassing for Treasury, he said a clone version of a website was a really good idea to make sure the site would work well on the day of the Budget..

"I think perhaps where they let themselves down was coming out so strongly yesterday describing what sounded very much like a Mission Impossible hacking attack on Treasury computers when in fact it was just someone searching for information. The characterisation they gave it made a very large number of people get very excited about how secure or insecure the website was when in fact it wasn't that kind of breach at all."

Professor Andrew Geddis of Otago University's Law School.

Andrew Geddis Photo: Supplied: Otago University

Otago University Law Professor Andrew Geddis said hacking isn't an offence, but accessing a computer system without authorisation is. He said because of the design of the website involved, and the fact the documents aren't classified or secret, no criminal offence has occured.

He assumed that the police had decided because Treasury had a public search function any search of its website had been implicitly authorised so it was not an offence.

The Budget documents might have an embargo from the government but there is no legal reason they cannot be made public if the Opposition happens to discover them, Professor Geddis said. The government itself had made 17 pre-Budget announcements - proving the information did not have to remain secret until Budget Day.

As far as ethics were concerned, a bit of "fast practice" had been required, repeatedly going back to the site in the hope of something being discovered. "It's simply trying to spoil the government's big Budget Day. ... I'm not sure it's as big a coup as the Opposition is making out that it is, but equally Im not sure it's as bad as the government is making out."

He said it was embarrassing because Treasury had embarrassed its Minister.

"I think one of the problems is that the head of Treasury came out so hard and used this word hacking and made it sound like there had been some kind of deliberate attempt to smash open a locked vault, as he put it, and when we see what happened it doesn't look like that at all.

"So I think the head of Treasury will have to explain how he portrayed this in the media yesterday."

Read more on Budget 2019:

The release prompted speculation about where the information could have come from, and the Treasury later that evening said it had evidence that its "systems have been deliberately and systematically hacked", which it had passed on to police.

Mr Robertson then released a statement saying the matter was extremely serious but was now a matter for police.

"We have contacted the National Party tonight to request that they do not release any further material, given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a Police investigation," he said.

Following that, Mr Bridges said in a tweet that Mr Robertson had smeared the National Party and should resign.

He stood by that position at a press conference yesterday morning.

It all casts a murky shadow over the release of the government's "wellbeing" Budget, due to be released officially at 2pm today.

Get the RNZ app

for ad-free news and current affairs