Defiant Treasury boss Gabriel Makhlouf has broken his silence over the Budget "hack", maintaining that he has done nothing wrong in the face of heavy criticism and demands for a public apology.
"I am pleased that my honesty and integrity are not in question," Makhlouf said in a statement.
He also apologised that Budget 2019 had not been kept secure, an apology he had already given to Finance Minister Grant Robertson.
But he did not apologise for his public comments made prior to Budget day, which were heavily criticised in an investigation released today by State Services Commissioner Peter Hughes.
The investigation found that Makhlouf failed to meet the standards expected of a public service chief executive, saying he should have consulted more and taken greater personal responsibility - and should have done so publicly.
Makhlouf has repeatedly refused any interviews since May 29, the day before Budget day, and again refused interviews today.
Today is Makhlouf's last day of work at the Treasury and he is understood to be leaving New Zealand at the end of this week to eventually head to Ireland to take up the position as head of the Central Bank.
In his statement, Makhlouf said that the State Services Commission (SCC) investigation was thorough and fair.
"The report confirms I acted at all times in good faith and with political neutrality. It also confirms that I acted reasonably, other than in my descriptions of the incident. I am pleased that my honesty and integrity are not in question.
"I apologise that Budget information was not kept secure."
He said it had been a privilege to serve as head of the Treasury for eight years.
National Party deputy leader Paula Bennett said earlier today that Makhlouf should make a public apology, and he should have done so weeks ago.
"The level of incompetence right across, and it more being about butt-covering and trying to throw other people under the bus instead of standing up and taking personal responsibility ... is something I haven't seen in the public service for a very long time," Bennett said.
The SSC report said that Makhlouf's statement that he released on May 28, his subsequent media interview about likening the incident to a persistent attack on a bolted door, and his statement on the morning of the Budget, on May 30, fell short of the standards of a public service chief executive.
Hughes said these were not sackable offences, basing that on advice from Crown Law, reviewed by Michael Heron, QC.
"The right thing to do here was to take personal responsibility for the failure, irrespective of the actions of others and to do so publicly. He did not do that," Hughes said.
He expected public service chief executives to "own it, fix it, learn from it, and be accountable", and that Makhlouf could have offered his resignation, but had not.
Hughes said to issue Makhlouf an official reprimand, even if only symbolic, would have been "meaningless and cynical", and the loss of reputation Makhlouf had suffered was "going to be a real burden".
Makhlouf's May 28 statement followed the public release of confidential Budget 2019 information by the National Party two days before Budget day.
The statement said the Treasury computer system had been deliberately and systematically hacked, and that he had referred the matter to police on the advice of the national cybersecurity unit in the Government Communications Security Bureau.
The reference to the GCSB heightened speculation that a foreign power had targeted the Treasury, but the GCSB contacted ministers and the Prime Minister's office soon after the statement was released to say that no hacking had occurred.
The SCC report said there were indications that the Treasury website's security had been inadequate before Makhlouf released his "hacking" statement.
At 5.05pm on Tuesday, May 28, an hour before referring the matter to police and three hours before releasing the statement, Treasury officials told Makhlouf that using the search function on the Treasury website had led to accessing the Budget information - though it was still unclear what had been accessed or whether there were other sources.
Makhlouf was also told four hours earlier, at 1.04pm, that the confidential information may have come from the Treasury website.
The SSC report also noted that the GCSB cybersecurity unit contacted police before Makhlouf's statement was released to say that it was unsure whether an offence had taken place.
During a meeting between Makhlouf and Robertson in Robertson's office before the statement was released, Makhlouf was asked why the GCSB wasn't investigating and whether it could be an overseas attack.
"He replied that, although Treasury has the IP addresses (Parliamentary Service and 2degrees), it could not rule out foreign actors or whether a bot may have been involved. He said he did not know why the GCSB itself was not investigating the matter," the report said."
At 9pm, an hour after Makhlouf released his statement, GCSB boss Andrew Hampton texted Makhlouf to say that it wasn't a "hack" and he needed to correct his statement. This was followed by a call to the Treasury communications team to discuss why the GCSB wasn't consulted on the Makhlouf statement.
Makhlouf called Hampton back to discuss their different views on the word "hack".
The SSC report said the GCSB should have been consulted before the statement was released, which would have addressed the differences in opinion over the use of the term "hack".
The following morning, on May 29, Makhlouf likened the incident to someone accessing information in a locked room after persistently attacking the lock thousands of times until it broke.
The SSC report said Makhlouf focused more on the actions of the searchers of the Treasury website than his own personal responsibility as chief executive for the failure of the Treasury systems.
"It was a clumsy response to a serious issue and is not what I expect of an experienced chief executive," Hughes said.
The Treasury released a statement at 5am on May 30, saying that police had advised that nothing illegal had happened.
The SSC report also criticised this statement, saying it continued to focus on those searching the Treasury website rather than the Treasury's own failures to keep Budget information secure.
The statement was released 12 and a half hours after public service bosses were given a definitive account of how the information breach had occurred, and about 33 hours after Makhlouf's first statement about hacking had been released.
The SCC report said this was not an unreasonable to release the statement at 5am on Thursday, May 30.
"It takes time to draft an accurate media statement and to appropriately consult other agencies."
But Bennett said the time it took for the Treasury's statement to be released was unacceptable.
"Not in any way, shape or form. They sat on it for more than 30 hours, knowing exactly what the truth was and deciding not to release it.
"Tuesday [May 28] even they knew it wasn't a hack ... we had the Finance Minister himself link it to the National Party, and all day Wednesday right through to 5am on Thursday morning, they sat knowing it wasn't a hack."
Robertson said he accepted the findings of the SSC report and noted Hughes' disappointment with Makhlouf's handling of the situation.
"My statement never suggested the National Party was responsible but rather called on them to not use the material that they had – whoever the source of that was - because we were told it had been obtained through unauthorised means."