NZ Treasury errors led to budget leak, inquiry finds

A series of failures at New Zealand’s Treasury – including a shortfall in governance, oversight and risk management processes – led to sensitive budget material being accessible on its website, an inquiry has found.
The inquiry was launched after budget information was published by the opposition National Party two days before the 2019 budget was to be announced on 30 May. Former Treasury secretary Gabriel Makhlouf said at the time that Treasury systems had been “deliberately and systematically hacked”, and referred the matter to the police. However, it emerged soon afterwards that the information had been published accidentally by Treasury staff and was accessible via the search function on the department’s website.
The inquiry found that technical decisions led to a design fault in the website’s search function, and that concerns about security risks were not acted on. It also found that risk management processes around the 2019 budget were inadequate, and that governance and oversight at the Treasury’s executive level fell short.
“This should not have happened,” New Zealand’s state services commissioner, Peter Hughes, said last week as he announced the findings of the inquiry. “Some things are so critical that they can never be allowed to fail. Security of the budget is one of these.”
In-built weaknesses
According to the inquiry, the incident originated from decisions made when a new Treasury website was commissioned in 2014. Due to time and cost pressures, the ‘Budget Day Scenario’ (BDS) – a collection of processes used to publish the budget and associated material – was cut from the scope of the project. This work was reinstated in the run-up to the 2018 budget announcement, but led to a “rushed, sub-optimal solution” that allowed people to access headlines and snippets of text containing sensitive information. The inquiry found that while there is nothing to suggest a security breach occurred in 2018, between 25 and 28 May 2019, three IP addresses were used to conduct 1,923 searches on the Treasury website, and the material gathered as a result was publicly released ahead of budget day.
“It appears there were a number of areas where the Treasury either didn’t follow either its own policies or best practice guidelines. The inquiry considers there were a number of failures to follow commonly accepted public sector practices that contributed to the incident,” the report said.
The inquiry said the Treasury did not have effective governance or senior oversight processes or systems in place to oversee the budget process from end-to-end, resulting in known risks not receiving appropriate consideration.
It found that poor application of the Treasury’s standard risk management tools contributed to the decisions to exclude the BDS from the scope of the web design project. And when it was reinstated, the “devolved nature of management decision-making” meant Treasury teams made decisions about the appropriateness of the solution without seeking, or without being able to gain, senior level approval.
The report also said the organisation “has faced ever-increasing demands for greater volume and more complex budget products”. This resulted in managers and teams “feeling they had no option but to deliver whatever was requested of them, irrespective of the impact on resourcing and potential organisational risk”, and led to critical decisions being made “for expediency’s sake, in the absence of consideration of the wider organisation and security risk”.
Doing your best is not enough
Hughes said the Treasury has an excellent reputation as New Zealand’s lead adviser to the government on economic and fiscal policy, with very good people doing their best – but that sometimes “doing your best is not enough”.
“Some things you just need to get right. Each and every time. For these you need to check, check and check again, and that didn’t happen with security around budget 2019.
“Senior leadership at the Treasury were rightly focused on the big economic and fiscal issues which are important to New Zealanders and the government. That is what I expect. But they got the balance wrong. The Treasury’s core business is also delivering the budget and I’m disappointed the senior leadership were not hands-on enough in that task.”
Improvements implemented
Dr Caralee McLiesh, who became the new Treasury secretary in September 2019, said she accepted the inquiry’s findings and that many changes identified in the inquiry report have already been implemented.
These include the appointment of a member of the Treasury executive leadership team to personally oversee the security of the budget; the implementation of new quality assurance measures around all aspects of the budget process, including new security and testing policies; and steps being taken to ensure a new budget website will be fully and comprehensively tested prior to the announcement of the budget.
McLeish said the production process for the 2020 budget is robust and secure, and in line with best practice and the appropriate guidance and standards. “The budget is a core priority of the Treasury and what happened should never happen again,” she said.
Makhlouf, who is now governor of the Central Bank of Ireland, is not mentioned in the inquiry report. He was the subject of a separate government investigation, the results of which were published in June 2019. It found that his handling of the incident had been “clumsy” but that he had acted in good faith.
The initial inquiry into the breach originally began in June last year, but was terminated and had to be started again in November after it was discovered that one of the investigators had failed to disclose a conflict of interest.