Budget breach didn‘t break the law - Treasury

Photo: RNZ / Dom Thomas.

Treasury has confirmed that a feature in its website search tool was exploited by an unknown person or persons, but police have concluded this did not break the law.

The investigation found one of the IP addresses involved in the searches belonged to the Parliamentary Service.

In a statement released this morning, Treasury says a police investigation had concluded and they are not planning any further action.

It says the evidence showed "deliberate, systematic and persistent searching of a website that was clearly not intended to be public".

"Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information. Three IP addresses were identified that performed (in the Treasury's estimation) approximately 2000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.

"The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus."

Treasury will review its security, while the State Services Commission has also launched an inquiry

Treasury and the GCSB's National Cyber Security Centre have found the breach involved a clone of Treasury's website, created as part of its preparation for the Budget.

Budget information was then added to the clone website when each Budget document was finalised.

On Budget Day, Treasury intended to swap to the live website and the clone website was not publically accessible.

Treasury says content is indexed to make searching on the site faster.

"Search results can be presented with the text in the document that surrounds the search phrase.

"The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.

"As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents."

About 2000 of the search terms were placed into the search bar looking for specific information on the 2019 Budget.

The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote. This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.

Treasury says "at no point' were any full 2019/20 documents accessible outside of its network.

Treasury Secretary Gabriel Makhlouf thanked police for the "prompt consideration of this issue".

"In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."

The State Services Commission has also launched an inquiry into how Budget material was accessed.

State Services Commissioner Peter Hughes said unauthorised access to confidential Budget material was a "very serious matter".

"Mr Makhlouf has asked me to investigate and I am considering my options. This is a matter of considerable public interest and I will have more to say as soon as I am in a position do so."

Peter says he had asked Government Chief Information Security Officer Andrew Hampton to work with Government Chief Digital Officer Paul James "to provide assurance that information security across the Public Service is sound", although there was currently no evidence of a system-wide issue.

"This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information."

"The inquiry will seek to understand exactly what has happened so that it doesn't happen again."

Treasury's announcement came ahead of an 8.45am announcement from National Party leader Simon Bridges, where he is expected to reveal how the party received information it claimed was Budget documents.

National released the documents on Tuesday morning, claiming it was official budget information for 18 of the 40 policy areas. Finance Minister Grant Robertson has since repeatedly said in Parliament that some of the information in National's documents was correct, some was not.

The release prompted speculation about where the information could have come from, and the Treasury later that evening said it had evidence that its "systems have been deliberately and systematically hacked", which it had passed on to police.

Grant then released a statement saying the matter was extremely serious but was now a matter for police.

"We have contacted the National Party tonight to request that they do not release any further material, given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a Police investigation," he said.

Following that, Mr Bridges said in a tweet that Mr Robertson had smeared the National Party and should resign.

He stood by that position at a press conference yesterday morning.

It all casts a murky shadow over the release of the government's "wellbeing" Budget, due to be released officially at 2pm today.

More on SunLive...
You must be logged in to make a comment. Login Now
There are no comments on this article.