Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

New Zealand Says Budget Leak Was Bungled, Not Hacked

A security breach that led to the premature release of New Zealand’s budget resulted from an online bungle, not a sophisticated cyberattack as originally claimed, red-faced officials admitted Thursday.

A security breach that led to the premature release of New Zealand’s budget resulted from an online bungle, not a sophisticated cyberattack as originally claimed, red-faced officials admitted Thursday.

The Treasury department called in police this week after the opposition National Party released parts of the government’s annual budget, which was not due for release until Thursday.

At the time, Treasury Secretary Gabriel Makhlouf said his department had fallen victim to a “systematic” and “deliberate” hack, rejecting “absolutely” any suggestion the information had been accidentally posted online.

He was forced into an embarrassing backdown Thursday after police found no evidence that illegal activity was behind the leak.

“On the available information, an unknown person or persons appear to have exploited a feature in the website search tool but… this does not appear to be unlawful,” Makhlouf said in a statement.

He said Treasury prepared a “clone” website ahead of the Budget’s release but did not realise that entering specific search terms on it revealed embargoed information.

Budget documents are a closely guarded secret and Makhlouf said an inquiry would be held to ensure such a breach was not repeated.

Advertisement. Scroll to continue reading.

This year’s document is the centre-left government’s inaugural “well-being” budget, which it says is a world-first attempt to change the way economic progress is measured, putting people ahead of growth.

National leader Simon Bridges called for Makhlouf’s resignation, saying the Treasury boss knew about the bungle days ago because his department fixed the website bug before police were called in.

He accused Makhlouf of sitting on the information and instead going public with an accusation that implied National had carried out an illegal hack.

“Clearly his position is not tenable,” Bridges told reporters.

Finance Minister Grant Robertson, the minister responsible for the budget, declined to publicly back Makhlouf, who is due to leave his position next month and become governor of the Central Bank of Ireland.

“I am… very disappointed that the Treasury did not seek to find more information as to how this happened before referring the matter to the police,” he said in a statement.

He refused to address the matter further in the budget media lock-up at parliament, which Makhlouf did not attend, contrary to normal practice.

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.