Review finds Treasury website redesign in 2014 led to Budget 2019 botch-up

An investigation into how Budget-sensitive material was accessed by the National Party has revealed a Treasury website redesign project dating back to 2014 led to the 2019 botch-up. 

The inquiry, led by Jenn Bestwick, has found that the "root of the incident goes back to June 2014" when the Treasury "initiated a procurement process" for a new web hosting platform. 

The review found, "A key requirement of the new system was the inclusion of increased content management and search functionalities". 

The review was launched following revelations the National Party obtained sensitive Budget 2019 information from Treasury's website ahead of its official release date in May 2019 - simply by searching for the data. 

The base platform for the new Treasury website wasn't built until 2017 and by June that year a 'Budget Day scenario' was left out of the project, leaving it without a proper platform for the Budget to be published. 

A scramble left Treasury creating a quick fix for the 2018 Budget - a website "clone", or a replica of the new Treasury website - but they were linked via a "shared index function". 

The use of a shared index for both the cloned and live Treasury websites meant that when a search term was entered by a user, the website returned data held in the clone site with the setting of "published". 

Ultimately, a series of technical decisions led to a design in the Treasury website search function, which allowed access to Budget 2019 information - and that design also existed in Budget 2018, but there were no security breaches at the time. 

"This should not have happened," State Services Commissioner Peter Hughes said on Friday. "Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these."

The investigation found that the Treasury was facing "ever increasing demands for greater volume and more complex Budget products". 

It said critical decisions were being made "for expediency's sake, in the absence of consideration of the wider organisation and security risk". 

Treasury Secretary Dr Caralee McLiesh, State Services Commissioner Peter Hughes and inquirer Jenn Bestwick.
Treasury Secretary Dr Caralee McLiesh, State Services Commissioner Peter Hughes and inquirer Jenn Bestwick. Photo credit: Newshub / Zane Small

The inquiry has found that governance and oversight at the Treasury's executive level "fell short" and risk management processes were around Budget 2019 were "not good enough". 

Hughes said while the Treasury has an "excellent reputation... sometimes your best is not good enough" and that "some things you just need to get right". 

He said he is confident that the new Secretary of the Treasury Dr Caralee McLiesh "will provide the leadership to deliver the necessary changes to ensure this doesn't happen again". 

Dr McLiesh has appointed one of her executive team members to personally oversee the security of the Budget and is implementing new security measures. 

The review had been led by former Deloitte NZ CEO Murray Jack, but it was revealed in November that a member of his team failed to declare a conflict of interest, and the investigation was terminated.

A fresh investigation was then launched by a new inquirer, Jenn Bestwick. The review looked into how National had been able to obtain the information on Treasury's website.  

Bestwick's review is separate from another one led by Deputy State Services Commissioner John Ombler who looked into whether Treasury misled Finance Minister Grant Robertson before he issued a public statement echoing the Treasury's stance it had been hacked.

It led to former Treasury Secretary Gabriel Makhlouf's public apology in June 2019 over his handling of the scandal after Peter Hughes labelled his actions "clumsy".

Hughes said Makhlouf "did not act reasonably" in his use of the phrase "deliberate and systematically hacked" in a media statement on May 28, after the National Party released the Budget material.

It turned out National had simply used a search tool on the Treasury website to uncover the classified material - no hacking involved.

In June 2019, it was revealed Treasury knew for certain it had not been hacked for about 12 hours before issuing a public statement to clarify.