An investigation into Treasury boss Gabriel Makhlouf has found that he acted in good faith and without political bias, but his actions were not reasonable and he should have taken more personal responsibility.

But Makhlouf remains defiant, telling his employer that he has done nothing wrong.

State Services Commissioner Peter Hughes and Deputy Commissioner John Ombler, who conducted the investigation, released the findings of the report today, which is Makhlouf's last day at work before he takes up a position as head of Ireland's Central Bank.

The Ombler report said Makhlouf acted in good faith, and there was no evidence that he deliberately misled Finance Minister Grant Robertson or orchestrated a hit job on the National Party.

Advertisement

His decision to refer the matter to police also showed no evidence of political influence.

But the words in his statement that he released on Tuesday May 28, his subsequent media interview about likening the incident to a persistent attack on a bolted door, and his statement on the morning of the Budget, on May 30, fell short of the standards of a public service chief executive.

Hughes said these were not sackable offences, on the advice of Crown Law, reviewed by Michael Heron, QC.

But he was disappointed in Makhlouf.

"The breach of security around the Budget documents should never have happened, under any circumstances," Hughes said.

"The right thing to do here was to take personal responsibility for the failure, irrespective of the actions of others and to do so publicly. He did not do that."

Hughes said that he expected public service chief executives to "own it, fix it, learn from it, and be accountable", and that Makhlouf could have offered his resignation, but had not.

Ombler said that Makhlouf continued to believe he acted reasonably at all times.

Hughes said to issue Makhlouf an official reprimand, even if only symbolic, would have been "meaningless and cynical", and the loss of reputation Makhlouf had suffered was "going to be a real burden".

A spokesperson at the Treasury said Makhlouf would be releasing a statement later today.

Hughes would not say how he would have sanctioned Makhlouf if today was not Makhlouf's last day at work, saying the investigation into the Treasury's security was still ongoing and he therefore did not have the full picture.

Makhlouf has come under heavy criticism for a statement that he released on Tuesday May 28 and his statements to media on the following morning about confidential Budget 2019 information that had been accessed.

Earlier that day, the National Party had released a trickle of Budget information - two days before Budget day.

Makhlouf's statement said the Treasury computer system had been deliberately and systematically hacked, and that he had referred the matter to police on the advice of the national cybersecurity unit in the Government Communications Security Bureau.

The reference to the GCSB heightened speculation that a foreign power had targeted the Treasury, but the GCSB contacted ministers and the Prime Minister's office soon after the statement was released to say that no hacking had occurred, and it should be called unauthorised access.

The GCSB had also told Treasury chief information officer Tom Byrne before the statement was released that it was not an issue for the national cybersecurity unit, and was a "100 per cent police matter".

The Ombler report said that Makhlouf, during a meeting in Robertson's office before his statement was released, was asked why the GCSB wasn't investigating and whether it could be an overseas attack.

"He replied that, although Treasury has the IP addresses (Parliamentary Service and 2degrees), it could not rule out foreign actors or whether a bot may have been involved. He said he did not know why the GCSB itself was not investigating the matter," the report said.

"Mr Makhlouf stepped out of the meeting (at 7:37pm) and called [head of the Department of Prime Minister and Cabinet] Brook Barrington (as Chair of ODESC) to ask why GCSB had not taken on the investigation. Mr Barrington said that was probably because the GCSB did not have jurisdiction over potential criminality. Mr Makhlouf relayed this to the Minister."

The report also noted that the GCSB cybersecurity unit contacted police before Makhlouf's statement was released to say that it was unsure whether an offence had taken place.

At 9pm, an hour after Makhlouf released his statement, GCSB boss Andrew Hampton texted Makhlouf to say that it wasn't a "hack" and he needed to correct his statement. This was followed by a call to the Treasury communications team to discuss why the GCSB wasn't consulted on the Makhlouf statement.

Makhlouf called Hampton back to discuss their different views on the word "hack".

The Ombler report said the GCSB should have been consulted before the statement was released, which could have addressed the differences in opinion over the use of the term "hack".

The following morning, on Wednesday May 29, Makhlouf likened the incident to someone accessing information in a locked room after persistently attacking the lock thousands of times until it broke.

The Ombler report said Makhlouf focused more on the actions of the searchers of the Treasury website than his own personal responsibility as chief executive for the failure of the Treasury systems.

It said he should have sought more advice before referring the matter to police.

"In my view, it was not managed well by Mr Makhlouf. It was a clumsy response to a serious issue and is not what I expect of an experienced chief executive," Hughes said.

Although what had happened was not definitively clear until the afternoon on Wednesday, May 29, there were indications that the Treasury had been at fault and its website security had been inadequate - even though it had been tested just days beforehand.

The Ombler report said that an hour before referring the matter to police, at 5.05pm on Tuesday, May 28, Treasury officials told Makhlouf that using the search function on the Treasury website had led to accessing the Budget information - though it was still unclear what had been accessed or whether there were other sources.

When National leader Simon Bridges finally revealed how the party staffers had obtained the Budget information, he said it was as if the information was in a public street with a "free to a good home" sign on it.

He said at the time that the Treasury knew how the breach had occurred because the party's access to confidential Budget information had been shut down at 2pm on Tuesday, May 28.

The Treasury released a statement at 5am on Thursday, May 30, saying that police had advised that nothing illegal had happened.

The Ombler report also criticised this statement, saying it continued to focus on the conduct of those searching the Treasury website rather than the Treasury's failure to keep Budget information confidential.

State Services Commissioner Peter Hughes, right, released the report into Treasury boss Gabriel Makhlouf today. It was done by Deputy Commissioner John Ombler (left). Photo / Mark Mitchell
State Services Commissioner Peter Hughes, right, released the report into Treasury boss Gabriel Makhlouf today. It was done by Deputy Commissioner John Ombler (left). Photo / Mark Mitchell

The State Services Commission has no jurisdiction over ministers and the Ombler report made no finding about ministers' conduct.

The Government has come under fire for not releasing the GCSB advice that there was no hack until the Treasury put out a statement at 5am on Thursday, May 30 - the morning of Budget day.

This was 12 and a half hours after public service bosses and Robertson were given a definitive account of how the information breach had occurred, and about 33 hours after Makhlouf's first statement about hacking had been released.

The Ombler report said this was not an unreasonable to release the statement at 5am on Thursday, May 30.

"It takes time to draft an accurate media statement and to appropriately consult other agencies."

The Treasury's statement on Thursday, May 30, included police advice that nothing illegal appeared to have happened, and that the State Services Commission will look into the adequacy of Treasury's website security.

Makhlouf said that National should have reported to the Treasury that they had accessed confidential Budget 2019 information, but Ombler said that might apply to Ministers and public service workers, but not the general public.

"Implicit authorisation may be considered to have been granted, if even a snippet appears in a search result on a public website."

Bridges accused senior ministers of deliberately leaving the false impression that the National Party had illegally hacked the Treasury.

He has called for Makhlouf and Robertson to resign for smearing the National Party.

Robertson released a statement about 16 minutes after Makhlouf's statement went out on Tuesday, May 28, in which he repeated Makhlouf's statement about hacking, and linked it to the Budget information that the National Party had already released.

Robertson has defended this statement by saying he was relying on advice from Makhlouf.

Timeline

Tuesday, May 28

• 10:01am: In a press release, National publishes what it claims to be details of the 2019 Budget.

• 11:30am: Finance Minister Grant Robertson confirms some of the details in National's release are from Budget 2019.

• 1.04pm: Treasury official texts Treasury boss Gabriel Makhlouf to say that the information may have come from the Treasury website.

• 1:51pm: Treasury IT team starts making changes to prevent search snippets from the clone site showing on the live site.

• 2pm: National says its method of accessing the Budget information on the Treasury website is closed down.

• 3pm: Treasury IT team turns off function that creates snippets on Treasury
website. Treasury crisis management team meets.

• 5.05pm: Treasury officials tell Makhlouf the information may have come from searching the website.

• 5.32pm: Treasury calls GCSB cybersecurity hotline.

• 6pm: The Treasury asks the cybersecurity unit of the Government Communications Security Bureau about how confidential information on its website was accessed.

• 6.06pm: GCSB cybersecurity unit phones Police Detective Sergeant, says it is not GCSB's remit. Suggests police contact the Treasury

• 6.14pm: Police contacts the Treasury. This is when the matter is officially referred to the police.

• 7:15pm: Makhlouf meets Robertson in his Beehive office and tells him that he has called the police. Robertson says that Makhlouf described it as 2000 attempts to "hack" the system. Meeting is later attended by Jacinda Ardern's chief press secretary Andrew Campbell and deputy chief of staff Raj Nahna.

• 7:35pm Police media team contact the Treasury the liaise about media statement.

• 7:36pm: GCSB cybersecurity unit phones Police Detective Sergeant, who says he is unsure whether this is an offence.

• 8:02pm: The Treasury issues a press release saying it has "sufficient evidence" that it had been "deliberately and systematically hacked". It cites the GCSB advice in saying it has been referred to the police.

• 8:19pm: Robertson issues a press release, asking National not to release any further information because "the material is a result of a systematic hack".

• 8:25pm: Head of GCSB Andrew Hampton calls Brook Barrington, the head of the Department of PM and Cabinet, to say there was no compromise of the Treasury website, and this was not a "hack" but an information management issue.

• 9.02pm: Hampton texts Makhlouf to say this is not a "hack" and they
need to correct.

• 9:13pm: GCSB contacts the Treasury to discuss concern with word 'hack' and lack of consultation on media statement.

• 9:14pm: Makhlouf phones Hampton, discusses different point of views over the word "hack".

• 9.22pm: Makhlouf returns Robertson's call, says there is no evidence of National
Party involvement.

Wednesday May 29

• 7:04am: Makhlouf tells media there had been 2000 attempts to access the Treasury's system in 48 hours. He refers to it once as a hack in another media interview.

• 9am: Simon Bridges strongly denies the information released by National came into its possession unlawfully, but refuses to say how it was obtained. Says it is a "lie" to say the Treasury was hacked.

• 1.40pm: Police advise the Treasury that nothing illegal appears to have taken place

• 4.30pm: How the information breach occurred becomes clear and public sector bosses and Robertson are told. Ardern is told about 6pm.

Thursday May 30

• Thursday, 5am: Treasury releases police advice. State Services Commission, at Makhlouf's invitation, launches inquiry into how the Treasury's Budget information was accessed.

• 8:45am: Simon Bridges fronts a press conference where he outlines how National used a simple search function to get the info. He says the Treasury has "sat on a lie" and calls for Makhlouf and Robertson to resign for smearing the National Party.

Friday May 31

• Paula Bennett writes to SSC, asking for it to investigate Makhlouf and Robertson and whether they have acted appropriately.

Tuesday June 4

• 4:30pm: State Services Commissioner Peter Hughes announces new investigation into whether Makhlouf misled the Government, to be conducted by Deputy State Services Commissioner John Ombler.

Friday June 7

• Herald reveals that the GCSB urgently contacted the Beehive to object to the language being used to describe what happened as "systematic hacking".

Monday June 10

• Ardern says that no ministers learned about the GCSB advice until after the statements about hacking had been released on May 28. National says that ministers still spent 33 hours "sitting on a lie" and should have released the GCSB advice as soon as they were told about it. Ardern says it was appropriate not to as police were looking into the incident at the time, and a full picture of what had happened did not emerge until later.

Thursday June 27

• Ombler report critical of Makhlouf is released, though his actions are not deemed sackable. It is Makhlouf's last day at the Treasury before he leaves to take up a position as head of the Irish Central Bank.