ON AIR: The Country

12PM - 1PM

Budget hack report finds Makhlouf's actions were unbiased but unreasonable

Derek Cheng, NZ Herald,
Publish Date
Thursday, 27 June 2019, 10:11AM

An investigation into Treasury boss Gabriel Makhlouf has found that he acted in good faith and without political bias, but his actions were not reasonable and he should have taken more personal responsibility.

State Services Commissioner Peter Hughes and Deputy Commissioner John Ombler, who conducted the investigation, released the findings of the report today, which is Makhlouf's last day at work before he takes up a position as head of Ireland's Central Bank.

The Ombler report said that Makhlouf acted in good faith, reasonably, and there was no evidence that he deliberately misled Finance Minister Grant Robertson or orchestrated a hit job on the National Party.

His decision to refer the matter to police also showed no evidence of political influence.

But the words in his statement that he released on Tuesday May 28, his subsequent media interview about likening the incident to a persistent attack on a bolted door, and his statement on the morning of the Budget, on May 30, fell short of the standards of a public service chief executive.


Hughes said he was disappointed in Makhlouf, especially because of the breach of the Treasury's website.

"The breach of security around the Budget documents should never have happened, under any circumstances," Hughes said.

"The right thing to do here was to take personal responsibility for the failure, irrespective of the actions of others and to do so publicly. He did not do that."

The report does not make any findings in relation into whether Makhlouf's actions warranted his sacking.

Makhlouf has come under heavy criticism for a statement that he released on Tuesday May 28 and his statements to media on the following morning about confidential Budget 2019 information that had been accessed.

Earlier that day, the National Party had released a trickle of Budget information - two days before Budget day.

Makhlouf's statement said that the Treasury computer system has been deliberately and systematically hacked, and that he had referred the matter to police on the advice of the national cybersecurity unit in the Government Communications Security Bureau.

The reference to the GCSB heightened speculation that a foreign power had targeted the Treasury, but the GCSB contacted Ministers and the Prime Minister's office soon after the statement was released to say that no hacking had occurred, and it should be called unauthorised access.

The GCSB had also told a Treasury staffer before the statement was released that it was not an issue for the national cybersecurity unit.

The Ombler report revealed that the GCSB cybersecurity unit contacted police before Makhlouf's statement was released to say that it was unsure whether an offence had taken place.

An 9pm, an hour after Makhlouf released his statement, GCSB boss Andrew Hampton texted Makhlouf to say that it wasn't a "hack" and he needed to correct his statement. This was followed by a call to the Treasury communications team to discuss why the GCSB wasn't consulted on the Makhlouf statement.

Makhlouf called Hampton back to discuss their different views on the word "hack".

The following morning, on Wednesday May 29, Makhlouf likened the incident to someone accessing information in a locked room after persistently attacking the lock thousands of times until it broke.

The Ombler report said that Makhlouf focused more on the actions of the searchers of the Treasury website than his own personal responsibility as chief executive for the failure of the Treasury systems.

It said he should have sought more advice before referring the matter to police.

"In my view, it was not managed well by Mr Makhlouf. It was a clumsy response to a serious issue and is not what I expect of an experienced chief executive.

"Mr Makhlouf is responsible for that and I'm calling it out."

While what had happened was not definitively clear until the afternoon on Wednesday, May 29, there were indications that the Treasury had been at fault and its website security had been inadequate - even though it had been tested just days beforehand.

The Ombler report said that an hour before referring the matter to police, at 5.05pm on Tuesday, May 28, Treasury officials told Makhlouf that using the search function on the Treasury website had led to accessing the Budget information - though it was still unclear what had been accessed or whether there were other sources.

When National leader Simon Bridges finally revealed how the party staffers had obtained the Budget information, he said it was as if the information was in a public street with a "free to a good home" sign on it.

He said at the time that the Treasury knew how the breach had occurred because the party's access to confidential Budget information had been shut down at 2pm on Tuesday, May 28.

The Treasury released a statement at 5am on Thursday, May 30, saying that police had advised that nothing illegal had happened.

The Ombler report also criticised this statement, saying it continued to focus on the conduct of those searching the Treasury website rather than the Treasury's failure to keep Budget information confidential.

The State Services Commission has no jurisdiction over Ministers and the Ombler report made no finding about Ministers' conduct.

The Government has come under fire for not releasing the GCSB advice that there was no hack until the Treasury put out a statement at 5am on Thursday, May 30 - the morning of Budget day.

This was 12 and a half hours after public service bosses and Robertson were given a definitive account of how the information breach had occurred, and about 33 hours after Makhlouf's first statement about hacking had been released.

The Treasury's statement on Thursday, May 30, included police advice that nothing illegal appeared to have happened, and that the State Services Commission will look into the adequacy of Treasury's website security.

Prime Minister Jacinda Ardern has defended not releasing the GCSB advice by saying there was a police investigation underway, and a full picture of what had happened had still not emerged. Once it had, on the afternoon of Wednesday, May 29, it was up the Treasury to put out a statement.

Bridges accused senior Ministers of deliberately leaving the false impression that the National Party had illegally hacked the Treasury, but the Ombler report did not address this.

Bridges has called for Makhlouf and Robertson to resign for smearing the National Party.

Robertson released a statement about 16 minutes after Makhlouf's statement went out on Tuesday, May 28, in which he repeated Makhlouf's statement about hacking, and linked it to the Budget information that the National Party had already released.

Robertson has defended this statement but saying he was relying on advice from Makhlouf.


Tuesday, May 28

• 10:01am: In a press release, National publishes what it claims to be details of the 2019 Budget

• 11:30am: Finance Minister Grant Robertson confirms some of the details in National's release are from Budget 2019

• Afternoon: National releases more Budget details

• 1.04pm: Treasury official texts Treasury boss Gabriel Makhlouf to say that the information may have come from the Treasury website.

• 2pm: National says its method of accessing the Budget information on the Treasury website is closed down.

• 3pm: Treasury crisis management team mmets.

• 5.05pm: Treasury officials tell Makhlouf the information may have come from searching the website.

• 5.32pm: Treasury calls GCSB cybersecurity hotline.

• Before 6pm: The Treasury asks the cybersecurity unit of the Government Communications Security Bureau about how confidential information on its website was accessed. The GCSB says the Treasury's computer network was not compromised, and the matter should be referred to the police, given that it's not what the GCSB normally responds to

• 6pm: Treasury Secretary Gabriel Makhlouf refers the matter to the police

• 7pm to 7:15pm: Makhlouf meets Robertson in his Beehive office and tells him that he has called in the police. Robertson says that Makhlouf described it as 2000 attempts to "hack" the system. Meeting is later attended by Jacinda Ardern's chief press secretary Andrew Campbell and deputy chief of staff Raj Nahna.

• 8:02pm: The Treasury issues a press release saying it has "sufficient evidence" that it had been "deliberately and systematically hacked". It cites the GCSB advice in saying it has been referred to the police.

• 8:19pm: Robertson issues a press release, asking National not to release any further information because "the material is a result of a systematic hack".

• 8:43pm: The GCSB contacts the office of GCSB Minister Andrew Little to say it doesn't believe any systematic hacking took place. Little is in a meeting. The GCSB contacts the Department of Prime Minister and Cabinet to pass on its concerns, and Ardern is told soon afterwards.

Wednesday May 29

• 7:04am: Makhlouf tells media there had been 2000 attempts to access the Treasury's system in 48 hours. He refers to it once as a hack in another media interview.

• 9am: Simon Bridges strongly denies the information released by National came into its possession unlawfully, but refuses to say how it was obtained. Says it is a "lie" to say the Treasury was hacked.

• 4.30pm: How the information breach occurred becomes clear and public sector bosses and Robertson are told. Police advice is that nothing illegal appears to have happened. Ardern is told about 6pm.

Thursday May 30

• Thursday, 5am: Treasury releases police advice. State Services Commission, at Makhlouf's invitation, launches inquiry into how the Treasury's Budget information was accessed.

• 8:45am: Simon Bridges fronts a press conference where he outlines how National used a simple search function to get the info. He says the Treasury has "sat on a lie" and calls for Makhlouf and Robertson to resign for smearing the National Party.

Friday May 31

• Paula Bennett writes to SSC, asking for it to investigate Makhlouf and Robertson and whether they have acted appropriately.

Tuesday June 4

• 4:30pm: State Services Commissioner Peter Hughes announces new investigation into whether Makhlouf misled the Government, to be conducted by Deputy State Services Commissioner John Ombler.

Friday June 7

• Herald reveals that the GCSB urgently contacted the Beehive to object to the language being used to describe what happened as "systematic hacking".

Monday June 10

• Ardern says that no Ministers learned about the GCSB advice until after the statements about hacking had been released on May 28. National says that Ministers still spent 33 hours "sitting on a lie" and should have released the GCSB advice as soon as they were told about it. Ardern says it was appropriate not to as police were looking into the incident at the time, and a full picture of what had happened did not emerge until later.

Thursday June 27

• Ombler report critical of Makhlouf is released, though his actions are not deemed sackable. It is Makhlouf's last day at the Treasury before he leaves to take up a position as head of the Irish Central Bank.


ON AIR: The Country

12PM - 1PM