New Zealand budget details leaked due to website sloppiness, not hackers

New Zealand budget details leaked due to website sloppiness, not hackers

What a difference a few days can make.

Earlier this week, the New Zealand government was claiming that it had suffered a “deliberate and systematic” hacking attack that resulted in budget details ending up in the hands of its political opponents.

Read on to find out how the story changed, and it appears no illegal hacking took place at all.

Sign up to our free newsletter.
Security news, advice, and tips.

Tuesday 28 May, 2019

New Zealand’s National Party published secret details of the government’s upcoming “wellbeing” budget, two days ahead of its scheduled release, but refused to give any details of how it came across them.

Police are called in to investigate the leak by New Zealand’s Treasury Secretary Gabriel Makhlouf.

Wednesday 29 May, 2019

New Zealand’s Treasury said its systems had been “deliberately and systematically hacked”.

Makhlouf told Radio New Zealand that his department had identified “multiple and systematic attempts to gain unauthorised access” to its systems, offering the figure of 2000 attempts to access budget-related material in a 48 hour period.

National MP Michael Woodhouse described the suggestion that the information had been hacked from government systems as “ludicrous.”

Thursday 30 May, 2019

The New Zealand Treasury issued a statement, confirming that the police had already closed their investigation, and retracting claims that a hack had occurred:

Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.

So, what actually happened? Here’s the Treasury’s explanation:

  • As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
  • Budget information was added to the clone website as and when each Budget document was finalised.
  • On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
  • The clone website was not publically accessible.
  • As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
  • The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
  • As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
  • A large number (approx. 2,000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
  • The searches used phrases from the 2018 Budget that were followed by the “Summary” of each Vote.
  • This would return a few sentences – that included the headlines for each Vote paper – but the search would not return the whole document.
  • At no point were any full 2019/20 documents accessible outside of the Treasury network.


If you leave sensitive content open for *anyone* to stumble across by simply doing a search on a website that is accessible to the public then you only have yourself to blame!

Be careful what information you put on a test or staging website if it’s accessible to the rest of the world.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.