BreachExchange mailing list archives
Rushed website led to Budget hack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 28 Feb 2020 09:23:31 -0600
https://www.msn.com/en-nz/news/national/rushed-website-led-to-budget-hack/ar-BB10uqbE A scathing report into the accidental release of sensitive Budget 2019 information by the Treasury has found poor procurement processes and governance failures by senior leadership were to blame for security flaws in its website not being identified earlier The inquiry into the accidental release of Budget 2019 information prior to Budget day has reported back on the "rushed" development of a new Treasury website. The State Services Commission launched the inquiry after the National Party trumpeted figures it had been able to obtain from the Government's Budget appropriations online, on the eve of the coalition’s first Wellbeing Budget. Treasury Secretary Gabriel Makhlouf initially told media the Treasury had been "deliberately and systematically hacked" and that he had referred the matter to police, but National leader Simon Bridges later revealed his party had obtained the data simply from searching the Treasury's website. The inquiry, led by Jenn Bestwick, found that a series of decisions made during the procurement process for a new Treasury website had led to a “rushed, sub-optimal solution”, with the Treasury repeatedly excluding Budget Day scenarios from its considerations in the project’s development. The decision to use a “vaulted clone” model - where a complete, offline replica of the new Treasury website was set up to be swapped with the live website on Budget Day - was undermined by the decision to use a shared index for both sites, did not meet the Government’s digital service design guidelines for sensitive information. The shared index meant that searches on the live site could pull up headline information and “snippets” of Budget 2019 information on the cloned site. The inquiry found that the Treasury did not have effective governance or oversight processes to manage the Budget process from start to finish, with known risks like the indexing problem not receiving appropriate consideration. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.” “This is consistent with the failure by senior leadership to pay attention to core operational performance as reported by the inquiry,” the report says. The inquiry also highlighted ever-increasing demands on the Treasury for Budget services and products, with “managers and teams feeling they had no option but to deliver whatever was requested of them, irrespective of the impact on resourcing and potential organisational risk”. State Services Commissioner Peter Hughes said the Treasury had failed to strike the right balance between its policy work and corporate services such as IT systems. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.” Hughes said he was confident that new Treasury Secretary Caralee McLiesh would make the changes needed to ensure such a failure did not happen again. Since the incident, McLiesh had appointed a member of the Treasury’s executive leadership team to personally oversee the security of the Budget process, while implementing new quality assurance measures and security policies. “The Budget is a core priority of the Treasury and what happened should never happen again,” she said. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Rushed website led to Budget hack Destry Winant (Feb 28)