A scathing report into the accidental release of sensitive Budget 2019 information by the Treasury has found poor procurement processes and governance failures by senior leadership were to blame for security flaws in its website not being identified earlier
The inquiry into the accidental release of Budget 2019 information before Budget day has reported back on the “rushed” development of a new Treasury website. The State Services Commission launched the inquiry after the National Party trumpeted figures it had been able to obtain from the Government’s Budget appropriations online, on the eve of the coalition’s first Wellbeing Budget.
Treasury Secretary Gabriel Makhlouf initially told media the Treasury had been “deliberately and systematically hacked” and that he had referred the matter to police, but National leader Simon Bridges later revealed his party had obtained the data simply from searching the Treasury’s website.
The inquiry, led by Jenn Bestwick, found that a series of decisions made during the procurement process for a new Treasury website had led to a “rushed, sub-optimal solution”, with the Treasury repeatedly excluding Budget Day scenarios from its considerations in the project’s development.
The decision to use a “vaulted clone” model – where a complete, offline replica of the new Treasury website was set up to be swapped with the live website on Budget Day – was undermined by the decision to use a shared index for both sites, and did not meet the Government’s digital service design guidelines for sensitive information.
The shared index meant that searches on the live site could pull up headline information and “snippets” of Budget 2019 information on the cloned site.
The inquiry found that the Treasury did not have effective governance or oversight processes to manage the Budget process from start to finish, with known risks like the indexing problem not receiving appropriate consideration.
“This is consistent with the failure by senior leadership to pay attention to core operational performance as reported by the inquiry,” the report says.
The inquiry also highlighted ever-increasing demands on the Treasury for Budget services and products, with “managers and teams feeling they had no option but to deliver whatever was requested of them, irrespective of the impact on resourcing and potential organisational risk”.
“Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”
State Services Commissioner Peter Hughes said the Treasury had failed to strike the right balance between its policy work and corporate services such as IT systems.
“Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”
Hughes did not believe the problem was not a lack of funding for Budget processes, but how the Treasury had prioritised that work within its overall budget.
“Not everything is equal. Treasury does a lot of things, not all of them are of the same importance, but the Budget is a core product for the Treasury, and we need to get that right.”
The most important failures had not been in IT, but in governance, leadership and management, he said.
“These issues were known at a very junior level in the organisation, and your worldview as an analyst in the IT shop is going to be completely different to your worldview as a chief executive – you’re just going to see things differently, you’re going to interpret things differently…
“The big issue here for Dr McLiesh going forward is to make sure the organisation is more strongly connected between those two parts and, she’s already done a whole heap of things to ensure that that’s the case.”
Since the incident, McLiesh had appointed a member of the Treasury’s executive leadership team to personally oversee the security of the Budget process, while implementing new quality assurance measures and security policies.
“The Budget is a core priority of the Treasury and what happened should never happen again,” McLiesh said.
Bestwick confirmed she had spoken to Makhlouf as part of her inquiry, but would not comment on his response to the findings.
Responding to the findings, National’s finance spokesman Paul Goldsmith said Finance Minister Grant Robertson needed to take responsibility for Treasury’s “extensive failures” and apologise for suggesting that National had gained the Budget information as the result of a hack.
“Mr Robertson swallowed the lines of his agency. He accepted their excuses, didn’t ask the right questions and even when it became clear he was wrong – he then doubled down,” Goldsmith said.
“This is one of the biggest failures in Treasury’s history and it happened under his watch.”
