Treasury details how someone with a Parliamentary IP address found bits of Budget 2019 with search queries. It says the searches were not unlawful and the police hunt for a ‘hacker’ has been called off, while an inquiry will be launched into the Treasury IT flaw. Bernard Hickey reports.
Treasury announced this morning that police have called off their inquiry into hacking of Budget 2019 information after telling Treasury the “deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data” was not unlawful.
Treasury said one of the IP addresses used in the searches was from the Parliamentary Service.
The State Services Commission said it had launched an Inquiry into how Budget 2019 material was accessed at the Treasury, but that it would be limited to state servants.
National Leader Simon Bridges accused Treasury yesterday of “bumbling incompetence” and said National had done nothing unlawful or inappropriate in obtaining Budget details it released on Tuesday. He has called a news conference for 8.45 this morning to give more details on how the information was obtained.
Bridges accused Finance Minister Grant Robertson on Wednesday of connecting the police inquiry into the ‘hack’ to National in a way designed to smear the Opposition and has called on him to resign.
Robertson announced on Tuesday evening that Police had been called in after National’s release of information and he asked National not to release more information, “given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a Police investigation.”
Bridges said that suggestion from Robertson that National had ‘hacked’ Treasury was a scurrilous accusation and a “democratic outrage.”
The latest from Treasury
Treasury said this morning it had worked with GCSB’s National Cyber Security Centre to establish the following facts:
– As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
– Budget information was added to the clone website as and when each Budget document was finalised.
– On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
– The clone website was not publically accessible.
– As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
– The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
– As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
– A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
– The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote.
– This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document.
– At no point were any full 2019/20 documents accessible outside of the Treasury network.
Treasury said this showed “deliberate, systematic and persistent searching of a website that was clearly not intended to be public.”
It said the search queries were intended to produce results that would disclose embargoed Budget information.
Three IP addresses were identified that performed about 2,000 searches over 48 hours, which pieced together the small amount of content available via the search tool. The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus, Treasury said.
The searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, Treasury said, adding none of the information was due to be available to Parliament and the public until Budget Day.
‘Our systems are susceptible’
Treasury Secretary Gabriel Makhlouf thanked the police in the statement.
“In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust,” Makhlouf said.
He added Treasury took immediate steps on Tuesday to increase the security of all Budget-related information.
He said he had asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.
State Services Commissioner Peter Hughes put out a statement shortly afterwards confirming the Inquiry “the adequacy of Treasury policies, systems and processes for managing Budget security.”
“Unauthorised access to confidential budget material is a very serious matter,” said State Services Commissioner Peter Hughes in a statement.
Hughes said there was no evidence of a system-wide issue, but he had asked Andrew Hampton, the Government Chief Information Security Officer, to work with the Government Chief Digital Officer, Paul James, to provide assurance that information security across the Public Service was sound.
The statement said the Commissioner’s jurisdiction was confined to State servants.