Wellington, May 30, 2019
Treasury details how someone with a Parliamentary IP address found bits of Budget 2019 with search queries. It says that the searches were not unlawful and the Police hunt for a ‘hacker’ has been called off, while an inquiry will be launched into the Treasury IT flaw.
Treasury announced this morning that the Police have called off their inquiry into hacking of Budget 2019 information after telling Treasury the “deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data” was not unlawful.
Treasury said that one of the IP addresses used in the searches was from the Parliamentary Service.
The State Services Commission said it had launched an Inquiry into how Budget 2019 material was accessed at the Treasury, but that it would be limited to state servants.
Simon Bridges’ accusations
National Leader Simon Bridges accused Treasury yesterday of “bumbling incompetence” and said that National had done nothing unlawful or inappropriate in obtaining Budget details it released on Tuesday (May 28).
He has called a news conference for 8.45 this morning to give more details on how the information was obtained.
Bridges accused Finance Minister Grant Robertson on Wednesday (May 29) of connecting the police inquiry into the ‘hack’ to National in a way designed to smear the Opposition and has called on him to resign.
Robertson announced on Tuesday evening that that Police had been called in after National’s release of information and he asked National not to release more information, “given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a Police investigation.”
Bridges said that suggestion from Robertson that National had ‘hacked’ Treasury was a scurrilous accusation and a “democratic outrage.”
The latest from Treasury
Treasury said this morning it had worked with GCSB’s National Cyber Security Centre to establish the following facts: (a) As part of its preparation for Budget 2019, the Treasury developed a clone of its website (b) Budget information was added to the clone website as and when each Budget document was finalised (c) On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online. (d) The clone website was not publicly accessible (e) As a part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase (f) The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site (g) As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents (h) A large number (approximately 2000) of search terms were placed into the search bar looking for specific information on the 2019 Budget (i) The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote (j) This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document (k) At no point were any full 2019/20 documents accessible outside of the Treasury network.
Deliberate and persistent
Treasury said this showed “deliberate, systematic and persistent searching of a website that was clearly not intended to be public.”
It said the search queries were intended to produce results that would disclose embargoed Budget information.
Three IP addresses were identified that performed about 2000 searches over 48 hours, which pieced together the small amount of content available via the search tool. The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus, the Treasury said.
The searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, Treasury said, adding none of the information was due to be available to Parliament and the public until Budget Day.
‘Our systems are susceptible’
Treasury Secretary Gabriel Makhlouf thanked the Police in the statement.
“In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust,” he said.
He added that the Treasury took immediate steps on Tuesday (May 28) to increase the security of all Budget-related information.
He said he had asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.
State Services Commissioner Peter Hughes put out a statement shortly afterwards confirming the Inquiry “the adequacy of Treasury policies, systems and processes for managing Budget security.”
“Unauthorised access to confidential budget material is a very serious matter,” he said.
Hughes said there was no evidence of a system-wide issue, but he had asked Andrew Hampton, the Government Chief Information Security Officer, to work with the Government Chief Digital Officer, Paul James, to provide assurance that information security across the Public Service was sound.
The statement said the Commissioner’s jurisdiction was confined to State servants.
Bernard Hickey is Pro Editor at Newsroom based in Wellington. The above story, which appeared on the Newsroom website today, has been published under a Special Agreement.