28 Feb 2020

Treasury fell short on protecting documents, report finds

3:03 pm on 28 February 2020

A report into how sensitive documents were accessed ahead of last year's Budget has found Treasury governance, oversight and risk management processes fell short.

From left, Treasury Secretary Dr Caralee McLiesh, State Services Commissioner Peter Hughes and investigation leader Jenn Bestwick.

Photo: RNZ / Yvette McCullough

The investigation led by Jenn Bestwick found a series of technical decisions led to a rushed and sub-optimal process for delivering the Budget.

Two days before the Budget 2019, the National Party released some details it had obtained.

Former Treasury Secretary Gabriel Makhlouf said at the time that Treasury's systems had been "deliberately and systematically hacked" and referred the matter to the police.

However less than 48 hours later it was revealed the Budget documents had been published accidentally, and accessed by National simply using the website search function.

The inquiry found that consideration was not given to the "Budget Day scenario" when moving to a new website in 2018.

In previous years, sensitive documents had been loaded onto a website content management system in a "draft" state. The site was then taken offline so material could be moved into a "published" state.

This approach was not possible on the new website, which led to "a rushed and sub-optimal decision" to publish Budget documents on a clone website, that had a shared index with the live website.

This meant document headings and snippets of data from the clone site came up in the search function.

The report found this design flaw also existed in the 2018 Budget, but there was no evidence of a security breach.

Gabriel Makhlouf, Secretary of the Treasury. Half Year Economic and Fiscal Update 2017.

Gabriel Makhlouf. Photo: RNZ / Rebekah Parsons-King

State Services Commissioner Peter Hughes said this should not have been allowed to happen.

"Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.

"Some things you just need to get right. Each and every time. For these you need to check, check, check and check again and that didn't happen with security around Budget 2019.

"I am confident that new Secretary of the Treasury will provide the leadership to deliver the necessary changes to ensure this doesn't happen again", he said.

Hughes said changes had already been implemented, including a member of the executive leadership team personally overseeing the security of the Budget.

In November last year, the investigation was shut down and a new inquirer appointed because a key member of the team failed to declare a conflict of interest.

Bestwick replaced Murray Jack as the head of the fresh investigation.

At the time, Hughes said he had the option of continuing the investigation, but he was not prepared to risk any possibility of compromise.

"Starting the investigation again is the right thing to do. Near enough is not good enough when it comes to integrity", Hughes said.

The investigation follows a State Services Commission report released in June last year, that examined Makhlouf's conduct.

It found that Makhlouf was clumsy, unreasonable, and fell well short of expectations in his handling of the Budget data breach.

It found he did not act reasonably in his descriptions of the breach or his subsequent explanations to media, including a "bolt" analogy in an interview with RNZ's Morning Report.

However the report concluded Makhlouf acted in good faith and without political bias when he notified Finance Minister Grant Robertson and the police.

The saga happened just weeks before Makhlouf was leaving Treasury to take up the role of governor of the Central Bank of Ireland.

New Treasury Secretary Dr Caralee McLiesh said the Budget production process for this coming May is robust, secure, and in line with best practice.

"The Budget is a core priority of the Treasury and what happened should never happen again.

"The Treasury accepts all of the inquiry's findings. When I came into the job last September, the Treasury had already made a number of improvements and we have since initiated a programme of work to improve security processes around the Budget.

"A lot of the necessary changes identified in the inquiry report have been implemented or are already underway," McLiesh said.

Politicians react

National finance spokesperson Paul Goldsmith said the report showed the Finance Minister was ultimately responsible for failing to keep Budget sensitive information secure.

"Mr Robertson put out a statement at the time claiming that 'Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a police investigation.'

"Mr Robertson swallowed the lines of his agency. He accepted their excuses, didn't ask the right questions and even when it became clear he was wrong - he then doubled down.

"This is one of the biggest failures in Treasury's history and it happened under his watch," he said.

Goldsmith said Robertson owed National an apology for implying the party had obtained the information through an illegal hack.

"The reality is we were doing what a good Opposition does - highlighting the government's failures," Goldsmith said.

Robertson welcomed the findings of the inquiry.

"I was extremely disappointed that the information was able to be accessed before Budget 2019, and I remain of that view.

"The new Treasury Secretary Dr Caralee McLiesh has put in place a number of changes which she assures me means Budget sensitive information will remain secure," Robertson said.

Get the RNZ app

for ad-free news and current affairs