‘Not their finest hour’ – Inquiry slams Treasury's senior leadership over 2019 Budget breach

But the investigation into the data breach found the then Treasury secretary acted in good faith.

The Treasury’s senior leadership during the 2019 Budget data breach has been rebuked in an inquiry – finding failures to “pay attention” to core operations of the department.

“This was certainly not their finest hour,” State Service Commissioner Peter Hughes said today.

“This should not have happened. Some things are so critical that they can never be allowed to fail. Human beings make mistakes… but this is an area where we should not accept mistakes, I don’t expect to see this happen again.”

It found governance and oversight at Treasury’s executive level “fell short”, risk management processes were not good enough and security concerns around risk existed “but were not escalated”.

Failure of senior leaders resulted in “extreme pressure on Treasury staff”, heightened risk in the lead up to the Budget and increased time pressure.

The Budget saga of 2019 saw sensitive Treasury material released early by the National Party after an error in the search function was utilised.

Then-Treasury Secretary Gabriel Makhlouf told media and the Government it was “deliberately and systematically hacked”.

A June 2019 investigation by the State Services Commission (SSC) found Makhlouf’s actions were "a clumsy response to a serious issue".

When asked if there had been repercussions for members of the leadership team, aside from Mr Makhlouf, Mr Hughes today said there had been “comings and goings” – but would not say if there had been repercussions for the failures.

“I won’t do anyone’s performance review in public, sorry, I won’t do it.”

The inquiry led by Jenn Bestwick found “a series of technical decisions” that led to the Budget information able to be accessed. The design flaw there ahead of the 2018 Budget as well.

It said vulnerability “was further exacerbated by a reported organisational belief that work on core business operations is less valued or important than policy work”.

The inquiry itself has not been without its own problems, after it was compromised and shut down in November last year.

A key member of the investigation failed to admit a conflict of interest. Mr Hughes removed lead Murray Jack and replaced him with Ms Bestwick.

New Treasury Secretary Dr Caralee McLiesh had implemented changes to address security issues found in the inquiry, Mr Hughes said.

The inquiry is expected to cost about $150,000, $100,000 lower than estimated last November.

Background

Treasury said in a statement on May 28, 2019 it had gathered enough evidence that its systems had been "deliberately and systematically hacked", after National released parts of the Budget that day. It referred the matter to police.

Finance Minister Grant Robertson then released a statement saying the release of the material was “extremely serious and is now a matter for the police", as well as urging the National Party to not release any more of the information.

On May 31, the day of the official Budget release, Treasury confirmed a feature in its website search tool was exploited by an unknown person or persons, and police concluded this did not break the law.

In June, 2019 an investigation was launched by SSC, led by deputy State Services Commissioner John Ombler.

The investigation found then-Treasury Secretary Gabriel Makhlouf’s handling of the Budget saga was "a clumsy response to a serious issue".

The investigation found he acted in good faith in his advice to the Finance Minister and referring the matter to the police.

SHARE ME

More Stories