New Zealand budget details leaked due to website sloppiness, not hackers

New Zealand budget details leaked due to website sloppiness, not hackers

What a difference a few days can make.

Earlier this week, the New Zealand government was claiming that it had suffered a “deliberate and systematic” hacking attack that resulted in budget details ending up in the hands of its political opponents.

Read on to find out how the story changed, and it appears no illegal hacking took place at all.

Sign up to our free newsletter.
Security news, advice, and tips.

Tuesday 28 May, 2019

New Zealand’s National Party published secret details of the government’s upcoming “wellbeing” budget, two days ahead of its scheduled release, but refused to give any details of how it came across them.

Police are called in to investigate the leak by New Zealand’s Treasury Secretary Gabriel Makhlouf.

Wednesday 29 May, 2019

New Zealand’s Treasury said its systems had been “deliberately and systematically hacked”.

Makhlouf told Radio New Zealand that his department had identified “multiple and systematic attempts to gain unauthorised access” to its systems, offering the figure of 2000 attempts to access budget-related material in a 48 hour period.

National MP Michael Woodhouse described the suggestion that the information had been hacked from government systems as “ludicrous.”

Thursday 30 May, 2019

The New Zealand Treasury issued a statement, confirming that the police had already closed their investigation, and retracting claims that a hack had occurred:

Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.

So, what actually happened? Here’s the Treasury’s explanation:

  • As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
  • Budget information was added to the clone website as and when each Budget document was finalised.
  • On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
  • The clone website was not publically accessible.
  • As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
  • The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
  • As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
  • A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
  • The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote.
  • This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document.
  • At no point were any full 2019/20 documents accessible outside of the Treasury network.


If you leave sensitive content open for *anyone* to stumble across by simply doing a search on a website that is accessible to the public then you only have yourself to blame!

Be careful what information you put on a test or staging website if it’s accessible to the rest of the world.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.