Financial Services

Makhlouf New Zealand budget ‘hack’ inquiry scrapped over conflict of interest

Investigation looking at handling of leak under Central Bank governor in past role

Gabriel Makhlouf, governor of the Irish Central Bank and former head of the New Zealand treasury. Photograph: Nick Bradshaw

Kate MacNamara in New Zealand
Wed Nov 13 2019 - 17:19

An investigation into mistakes made at New Zealand’s treasury under Gabriel Makhlouf, now governor of the Central Bank of Ireland, has been scrapped over a conflict of interest.

The move drags out a saga that has dogged and embarrassed both Mr Makhlouf and his former political masters in the New Zealand government.

The integrity of the investigation was compromised because a key team member failed to declare a conflict of interest, state services commissioner Peter Hughes said on Wednesday.

Inquirer Murray Jack will be replaced by former management consultant Jenn Bestwick. A fresh inquiry is now expected to report at the end of February.

READ MORE

“It is very disappointing this has happened,” Mr Hughes said. “Unfortunately, this person has not met my expectations or Mr Jack’s expectations.”

Just weeks away from expected publication, the report was to examine how sensitive budget information was leaked through the treasury department’s website before it was due to be released last May.

The data loss was initially characterised as a hack by both Mr Makhlouf and finance minister Grant Robertson. However, it emerged later that the information had been published accidentally through the treasury’s own website and was obtained using the search function.

The State Services Commission, responsible for the job performance of chief executives within the New Zealand civil service, commissioned two investigations in the wake of the budget leak.

The first, led by John Ombler, was released in June and examined Mr Makhlouf’s conduct. It found that he “acted unreasonably” when he claimed the budget data had been “deliberately and systematically hacked”.

It also concluded that Mr Makhlouf’s focus on blaming others was an impediment to understanding the true situation and that he managed the incident poorly. It did, however, uphold his political neutrality and that he acted in good faith at all times.

New document

Most of the crucial events of the budget leak unfolded on May 28th. The opposition National Party published snippets of information from the upcoming budget three times by mid-afternoon.

The Ombler report shows a good deal of confusion within treasury earlier in the day. But, by 5:30pm, some facts had been established. The IT team had worked out that a flaw in its website would have yielded the details, the opposition had released. They’d disabled the function and briefed Mr Makhlouf.

A new document, released to The Irish Times under the Official Information Act, suggests that, at about 6pm, treasury’s chief information officer was advised by staff at the National Cyber Security Centre, a division of the intelligence service, that a compromise of the treasury website was unlikely.

A statement by Det Sgt Paul Stenzel of the New Zealand police cybercrime unit details: “I received a call from the on-call staff member from the National Cyber Security Centre (NCSC) to advise that they had spoken to the chief information officer at the treasury, Tom Byrne... From the information provided to them from the CIO, they commented that, on the face of it, it did not appear to be a compromise and it seemed more likely a Police matter than one the NCSC would typically deal with.”

The Omber report shows that Mr Byrne spoke to NCSC during a meeting of treasury’s crisis management team, which included Mr Makhlouf. Mr Byrne returned to the team after the call and the group discussed the term “hacking”.

Several hours later, treasury said in a press release it had “gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked”. On Mr Makhlouf’s advice, the minister of finance also issued a statement using similar language.

Subsequently that evening, the director-general of the government communications security bureau, which contains the NCSC, spoke by phone to both Mr Makhlouf and the chief executive of the department of the prime minister and cabinet. He advised that there had been no compromise of the treasury website and no “hack”.

He suggested using the term, “information management issue”. Mr Makhlouf took a different view, and in media interviews the following day used a lock and key analogy to imply the budget details has been stolen.

Matter not settled

Despite the furore in New Zealand, Mr Makhlouf took up his new post at the Central Bank in early September. Internal documents show Central Bank directors were concerned about the “reputational damage” caused by the controversy. Both the Labour party and Sinn Féin have expressed similar misgivings.

Minister of Finance Paschal Donohoe, however, has stood by his appointment and insisted that the matter is now closed.

But the second New Zealand investigation, now due next year, may have more to say on Mr Makhlouf. Among its considerations will be what happened, why it happened, and the lessons learned.

LATEST STORIES