The New Zealand States Services Commission has excoriated the outgoing Secretary to the Treasury, Gabriel Makhlouf, for his handling of the leak of sensitive government Budget data, saying the senior civil servant failed to take personal responsibility for the security failure.
Makhlouf made headlines locally and internationally after he alleged that embargoed budget 2019 information released by opposition National Party were obtained by the Treasury site being "deliberately and systematically hacked".
National denied it had hacked the Treasury website, and a police investigation supported the opposition party, saying the data had been leaked after a content management system misconfiguration made it appear in a search engine index.
Makhlouf was sharply criticised for characterising the data leak as a hack, and deputy state services commissioner John Ombler was asked to investigate the Treasury Secretary's statements.
In his report [pdf], Ombler said Makhlouf did not act reasonably when he told media the Treasury site had been hacked, ditto when he used a bolt [that was broken] analogy to describe how the data leak took place.
State Services Commissioner Peter Hughes accepted all Ombler's findings, and said Makhlouf should have owned-up to the data breach rather than blaming others for it.
Hughes said his chief executives are expected to own problems when things go wrong, to fix them and to learn from them.
He expressed disappointment at Makhlouf's actions during the data breach, which he said fell well short of expectations of the secretary's responsibility to keep Treasury information secure.
“The breach of security around the Budget documents should never have happened, under any circumstances,” said Mr Hughes.
“The right thing to do here was to take personal responsibility for the failure irrespective of the actions of others and to do so publicly. He did not do that.
“As the investigation found, Mr Makhlouf focused more on the actions of the searchers of the Treasury website rather than his own personal responsibility as chief executive for the failure of the Treasury systems.”
“I have concluded that Mr Makhlouf failed to take personal responsibility for the Treasury security failure and his subsequent handling of the situation fell well short of my expectations. Mr Makhlouf is accountable for that and I’m calling it out,” Hughes said.
Hughes went on to say that Makhlouf's response to a serious issue was "clumsy" and "not what I expect of an experienced chief executive."
Ombler did find that Makhlouf had acted in good faith, reasonably and without political bias in relation to the advice he provided to the minister of finance, Grant Robertson.
The Treasury now faces a further inquiry into whether or not its information security arrangements were adequate to protect sensitve information.
This week, state services commissioner Hughes announced that Dr Caralee McLiesh, currently the managing director of Technical and Further Education New South Wales, has been appointed as secretary to and chief executive of the Treasury.
Dr McLiesh worked for the NSW Treasury in deputy secretary roles from 2008 to 2018, and developed Australia's first Social Impact Bond for families at risk. She was awarded the Public Service Medal for that work in 2017.
Makhlouf is expected to take on the position of governor of the central bank of Ireland.