Wednesday, 29 May 2019

Oh Treasury ... again

There is speculation Budget documents may have been "hacked" by someone simply guessing the website addresses of documents prepared by Treasury but which were not yet supposed to be visible on its website.

Treasury has been approached for comment on whether that is what may have occurred, or whether the alleged hack might have been more sophisticated.
Puller-Strecker's interviewed experts think Treasury screw-up the most likely explanation, with pages being indexed that shouldn't have been indexed.

Whether this was due to somebody putting up placeholder content using near-live budget documents in a test environment that was less test than they'd thought, or a screw-up in the CMS where embargoed content was cached by Silverstripe in ways accessible to crawlers* - the current plausible explanations are Treasury screw-up.

The screw-up would fall under the Director of Operations' remit. But the Director of Operations is only a few weeks into the job, having replaced Fiona Ross, who left in April to lead the Ministry of Justice's Family Violence And Sexual Violence unit. You may remember Fiona from Danyl McLaughlin's reporting on DEVUCA worlds

It's still possible this was a leak from elsewhere. But if this winds up being confirmed as Treasury screw-up, it would be difficult to blame a DDO who's only been in the job a couple of weeks. 

And I agree with Hamish Rutherford's piece here: if Treasury really thought that market-sensitive information had been hacked, the budget would already have been released early to avoid giving any hacker a time advantage. Plus, were someone keen on really hacking Treasury, I'm not sure that the budget would be the most interesting stuff to go after. Tendering, commercial contracts, debt issuance - there's a lot of stuff that they'd have in the back-end that would be rather more interesting than a soon-to-be-released budget unlikely to have much market consequence. 


* I understand this to be a known issue in Silverstripe in some government implementations, but I could not possibly explain it.

[Update - link fixed along with spelling of Pullar-Strecker -- Doh!]

No comments:

Post a Comment