Website security slammed
Poor web design led to Treasury’s embarrassing ‘‘Budget hack’’ of 2019, when the National Party was able to access pages of sensitive Budget information days before it was formally released.
This was the conclusion of a State Services Commission inquiry into Treasury’s security systems, commissioned after the hack and released yesterday.
These same vulnerabilities also existed in the website for the 2018 Budget, which also could have been ‘‘hacked’’ any time up to two weeks before the Budget was delivered that year.
State Services Commissioner Peter Hughes said the data breach, labelled a ‘‘hack’’ by outgoing Treasury Secretary Gabriel Makhlouf, was ‘‘not acceptable’’.
‘‘This should never have happened,’’ Hughes said.
‘‘Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these,’’ he said.
The website for the Budget was not itself accessible before Budget day, but the website’s text was indexed for Treasury’s search bar, meaning someone who used the search function on Treasury’s website could access Budget sensitive information.
These problems go back to June 2014, when Treasury began looking at replacing its website.
Treasury’s new Budget website, launched in 2018, was based on what is called a ‘‘vaulted clone’’ model. This is a completely separate but identical Treasury website where Budget information is uploaded prior to Budget day, but is not ‘‘live’’ on the internet.
When the Budget embargo lifted at 2pm on Budget day, the live Treasury website and the vaulted clone are switched, allowing people to access the Budget.
The inquiry found that ‘‘at some point’’ during the design of the website the index function, which powers Treasury’s search engine was merged with the index function on the clone site. This meant that it indexed both the live and the clone versions of the website, making both available on the open internet.
The key findings of the review were that a ‘‘series of technical decisions’’ led to a design in Treasury’s search function, allowing sections of the Budget to be accessible.
It also found that governance and oversight at Treasury fell short and that risk management and ‘‘processes’’ were not good enough.
‘‘Sometimes doing your best is not enough,’’ Hughes said.