[BreachExchange] Rushed website led to Budget hack

Destry Winant destry at riskbasedsecurity.com
Fri Feb 28 10:23:31 EST 2020


https://www.msn.com/en-nz/news/national/rushed-website-led-to-budget-hack/ar-BB10uqbE

A scathing report into the accidental release of sensitive Budget 2019
information by the Treasury has found poor procurement processes and
governance failures by senior leadership were to blame for security
flaws in its website not being identified earlier

The inquiry into the accidental release of Budget 2019 information
prior to Budget day has reported back on the "rushed" development of a
new Treasury website. The State Services Commission launched the
inquiry after the National Party trumpeted figures it had been able to
obtain from the Government's Budget appropriations online, on the eve
of the coalition’s first Wellbeing Budget.

Treasury Secretary Gabriel Makhlouf initially told media the Treasury
had been "deliberately and systematically hacked" and that he had
referred the matter to police, but National leader Simon Bridges later
revealed his party had obtained the data simply from searching the
Treasury's website.

The inquiry, led by Jenn Bestwick, found that a series of decisions
made during the procurement process for a new Treasury website had led
to a “rushed, sub-optimal solution”, with the Treasury repeatedly
excluding Budget Day scenarios from its considerations in the
project’s development.

The decision to use a “vaulted clone” model - where a complete,
offline replica of the new Treasury website was set up to be swapped
with the live website on Budget Day - was undermined by the decision
to use a shared index for both sites, did not meet the Government’s
digital service design guidelines for sensitive information.

The shared index meant that searches on the live site could pull up
headline information and “snippets” of Budget 2019 information on the
cloned site.

The inquiry found that the Treasury did not have effective governance
or oversight processes to manage the Budget process from start to
finish, with known risks like the indexing problem not receiving
appropriate consideration.

“Some things are so critical that they can never be allowed to fail.
Security of the Budget is one of these.”

“This is consistent with the failure by senior leadership to pay
attention to core operational performance as reported by the inquiry,”
the report says.

The inquiry also highlighted ever-increasing demands on the Treasury
for Budget services and products, with “managers and teams feeling
they had no option but to deliver whatever was requested of them,
irrespective of the impact on resourcing and potential organisational
risk”.

State Services Commissioner Peter Hughes said the Treasury had failed
to strike the right balance between its policy work and corporate
services such as IT systems.

“Some things are so critical that they can never be allowed to fail.
Security of the Budget is one of these.”

Hughes said he was confident that new Treasury Secretary Caralee
McLiesh would make the changes needed to ensure such a failure did not
happen again.

Since the incident, McLiesh had appointed a member of the Treasury’s
executive leadership team to personally oversee the security of the
Budget process, while implementing new quality assurance measures and
security policies.

“The Budget is a core priority of the Treasury and what happened
should never happen again,” she said.


More information about the BreachExchange mailing list