SSC inquiry finds Treasury at fault
The State Services Commissioner released:
The Commissioner said the Treasury’s failure to keep Budget sensitive information secure was not acceptable.
“This should not have happened,” said Mr Hughes. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”
The inquiry found:
A series of technical decisions led to a design in the Treasury website search function, which allowed access to Budget 2019 information. The design also existed in the 2018 Budget, though there were no security breaches.
Governance and oversight at the Treasury’s executive level fell short
Risk management processes around Budget 2019 were not good enough
Concerns about security risks existed but were not escalated.
Mr Hughes said the Treasury has an excellent reputation as New Zealand’s lead advisor to the Government on economic and fiscal policy, with very good people doing their best.
“But sometimes doing your best is not enough,” said Mr Hughes. “Some things you just need to get right. Each and every time. For these you need to check, check and check again and that didn’t happen with security around Budget 2019.
“Senior leadership at the Treasury were rightly focused on the big economic and fiscal issues which are important to New Zealanders and the Government. That is what I expect. But they got the balance wrong. The Treasury’s core business is also delivering the Budget and I’m disappointed the senior leadership were not hands-on enough in that task.
So it wasn’t a super duper hack by National. It was bad design by Treasury. It seems the 2018 Budget information could also have been accessed in advance in the same way.