Issued Thursday 30 May 2019 at 5.05am:
Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.
In the meantime, the Treasury and GCSB’s National Cyber Security Centre have been working on establishing the facts of this incident. While this work continues, the facts that have been established so far are:
- As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
- Budget information was added to the clone website as and when each Budget document was finalised.
- On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
- The clone website was not publically accessible.
- As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
- The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
- As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
- A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
- The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote.
- This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document.
- At no point were any full 2019/20 documents accessible outside of the Treasury network.
The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public. Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information. Three IP addresses were identified that performed (in the Treasury’s estimation) approximately 2,000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool. The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus.
The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day.
In light of this information, Secretary to the Treasury Gabriel Makhlouf said, “I want to thank the Police for their prompt consideration of this issue. In my view, there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data. Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust.”
The Treasury took immediate steps yesterday to increase the security of all Budget-related information. Mr Makhlouf has now asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.