Police have advised the Treasury an unknown person or persons appear to have exploited a feature in the website search tool, but that does not appear to be unlawful.
On Tuesday, National leader Simon Bridges revealed details of the Wellbeing Budget - two days before the official announcement. Finance Minister Grant Robertson admitted some of the information was correct.
- 'He's lying': Simon Bridges lashes out at Grant Robertson after hack claims
- 'Multiple and persistent' attempts to access Treasury systems - chief executive
- Simon Bridges accuses Grant Robertson of smear job
Later that evening, Treasury, which has access to Budget information, released a statement saying there was sufficient evidence to show its systems had been deliberately and systematically hacked.
Treasury head Gabriel Makhlouf said there had been 2000 attempts at attacking the Treasury's system in 48 hours.
But on Thursday, Treasury released a statement saying that they had been advised by police that on available information it appeared someone had "exploited a feature in the website search tool", which "does not appear to be unlawful".
Treasury said that as part of its preparation for the Budget, it had developed a clone of its website and Budget information was added to the cloned website "as and when each Budget document was finalised".
"On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online".
But the clone website had not been publicly accessible, according to Treasury.
Newshub earlier learnt that the usual process for loading Budget documents online is to use what's called a User Acceptance Testing (UAT) website, a test site that allows users to try out content online before it goes live to the public.
"As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase," said the statement from Treasury.
"The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site."
The statement said as a result, a specifically-worded search would be able to surface "small amounts of content from the 2019/20 Estimates documents".
Approximately 2000 search terms were placed into the search bar looking for specific information about the Budget, which would return a few sentences of information, but not the whole document.
"At no point were any full 2019/20 documents accessible outside of the Treasury network."
Three IP addresses were identified that performed approximately 2000 searches over a period of 48 hours. These belonged to the Parliamentary Service, 2degrees and Vocus.
"The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day."
No further action was planned by police, but Treasury Secretary Gabriel Makhlouf said it showed that their systems were susceptible to unacceptable behaviour.
The State Services Commissioner has been asked by the Secretary to conduct an inquiry and confirmed on Thursday it would undertake one.
"This is a matter of considerable public interest and I will have more to say as soon as I am in a position do so," said States Services Commissioner Peter Hughes.