Treasury should ask for a refund
The Herald reports:
The Treasury’s website was tested for any security issues five days before the National Party released Budget 2019 information that it had gleaned from the website. …
In answers to written questions from National’s finance spokeswoman Amy Adams, Robertson said the Treasury website was given a “Technology Risk Management Internal Audit” by Ernst & Young in February 2018.
“As part of Treasury’s C+A (certification and accreditation) process, all public internet facing systems and websites are independently penetration tested before they are authorised to operate,” Robertson said.
Penetration testing was completed for all of the websites hosted by the Treasury during 2016 and 2017, and the Treasury’s public website was tested again in April 2018 and May 2019.
So the expensive fancy penetration testing didn’t include checking if the website’s own search engine was indexing hidden files.