National leader Simon Bridges has blasted the Government and Treasury's "incompetent smear" job wrongly suggesting National had hacked Budget details.
"It shows deep dishonesty. Treasury has known since Tuesday exactly what happened and they covered it up to hide their incompetence. They have sat on a lie, calling the National Party criminal hackers and calling in the police," he said today.
Bridges' comments follow confirmation today that sensitive Budget information made public by National was not hacked from the Treasury website but instead accessed legally.
Treasury had made changes on Tuesday and people in Treasury have told him that they knew, but had continued to "lie", Bridges said.
Bridges said Treasury Secretary Gabriel Makhlouf - who has already resigned to take a job in Ireland - must resign.
He said Finance Minister Grant Robertson was "donkey deep" in this and had been briefed by Treasury. Robertson was responsible and must resign, Bridges said.
"He does not have the moral authority to deliver the Government's Budget today."
Bridges said Deputy Prime Minister Winston Peters had claimed he knew what happened and that it was illegal.
He said if Peters had any integrity, he should publicly apologise.
Bridges said National staffers had used the search bar on the Treasury website and searched for 2019/20, and Budget information came up.
"Any member of the NZ public could have done this if they had an interest in the Budget, from your grandson to your grandma."
Makhlouf had compared this to an attack on a padlocked door, but Bridges said it was more like putting information in the street with a sign on it saying "free to a good home".
Bridges said Makhlouf was being dishonest because it was clear that Treasury knew what had happened on Tuesday.
He defended National staffers going looking for the information on the website, saying the only wrongful behaviour came from Treasury, Robertson and Peters.
"The Deputy PM of New Zealand came out and accused me of criminal behaviour. That is disgraceful," Bridges said.
That had prompted him to reveal this morning how National had come upon the information. He said Treasury was not only sitting on a lie, but had compounded it.
Bridges said it was not believable that Robertson did not know what had happened when he asked National not to release any more Budget information.
"What was the public interest in Treasury in covering this lie up ... calling in the police on the New Zealand Opposition ... in Grant Robertson smearing the National Party ... in the Deputy Prime Minister of New Zealand doubling down on falsehoods?"
Bridges said the public interest in National releasing Budget information was to expose the Government's incompetence.
National staffers had "literally stumbled" upon the information - and he believed all the IP addresses that accessed the Treasury's website were probably from National employees.
Police confirmed today that the Budget details were obtained from Treasury's website using a search function and such activity was not unlawful.
A computer based at Parliament was one of three IP addresses used to access the details on the website, the Treasury said in a statement released at 5.05am today.
The Government had suggested National either hacked the information, or received hacked information, when it released Budget details this week ahead of today's announcement. Bridges said the Government's "incompetence" was the real reason for the information being disclosed.
Treasury Secretary Gabriel Makhlouf had earlier claimed the website had been hacked.
However, police said today the person or persons were able to "exploit" the system because Treasury staff had been preparing a clone website in the background that they intended to swap over with the live website on Budget day.
To do this Treasury staff had begun uploading some Budget information on to the clone site.
Although not publicly accessible, some information could be seen when a search was made on the website.
Investigations into what happened showed about 2000 searches were made for Budget details.
"The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public," Treasury said.
"Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information.
"Three IP addresses were identified that performed [in the Treasury's estimation] approximately 2000 searches, over a period of 48 hours, which pieced together the small amount of content available via the search tool.
"The IP addresses involved belonged to the Parliamentary Service, 2degrees and Vocus."
The news comes after speculation had begun to mount that the Budget leak was more "cock-up" than hack.
NZ Herald tech writer Juha Saarinen found screenshots of a Google search for "estimates of appropriation 2019/2020" circulating on Twitter suggesting the data was publicly accessible.
Bridges - whose party had released information - had also been quick to fire back at claims by Makhlouf yesterday that the site had been hacked, calling them a lie.
He attacked a "bungling, incompetent" Government over the early release of the sensitive Budget details and stressed his party had obtained its information legally.
An inquiry into the strength of security around the Budget will now be undertaken by the State Services Commission.
"Unauthorised access to confidential budget material is a very serious matter," State Services Commissioner Peter Hughes said.
"This is a matter of considerable public interest and I will have more to say as soon as I am in a position do so."
Hughes asked the Government Chief Information Security Officer and Chief Digital Officer to "provide assurance that information security across the Public Service is sound".
"This is an important issue because it goes to trust and confidence in the Public Service and in the security of government information," Hughes said.
Technology commentator Paul Brislen told Newstalk ZB's Mike Hosking the Treasury department's move to set up a clone website was a "very good idea" and a common occurrence.
"A website like the Budget site is going to have a lot of people visiting it on the first day, who are going to be searching for all kinds of things, there is going to be a lot of interest," he said.
"You are going to want the website to work as well as possible."
To do that staff would have set up a clone website so they could run tests simulating what might happen when the website actually goes live, he said.
Brislen said the person or persons responsible for the about 2000 searches for Budget information could be someone connected to the National Party or any other staffer working at Parliament.
He pointed to how investigators had found the IP addresses of the devices used to search for the Budget information belonged to a Parliament IP address, a 2degrees mobile device and a Vocus IP address.
"You could make a case for somebody finding out at work at Parliamentary Service that they've got access," he said.
"[Before] then trying it on the bus on the way home and then perhaps at home as well - put their feet up and spend 48 hours testing out to see what they can find."
Finance Minister Grant Robertson earlier this week said he had contacted National, asking Bridges not to release any more information – "given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a police investigation".
He said the matter was "extremely serious" and now was in the hands of the police.
But National leader Simon Bridges quickly responded, saying his party has acted "entirely appropriately".
He said Robertson "falsely smeared us [National] to cover up his and the Treasury's incompetence".
• As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
• The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
• As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
• A large number (approx. 2000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
• The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote.
• This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.
• At no point were any full 2019/20 documents accessible outside of the Treasury network.
"The nature of these searches ultimately led to unauthorised access to small amounts of content from the 2019/20 Estimates documents, none of which were due to be available to Parliament and the public until Budget Day."
Makhlouf said in his view "there were deliberate, exhaustive and sustained attempts to gain unauthorised access to embargoed data.
"Our systems were clearly susceptible to such unacceptable behaviour, in breach of the long-standing convention around Budget confidentiality, and we will undertake a review to make them more robust."
The Treasury took immediate steps on Tuesday to increase the security of all Budget-related information.
Makhlouf asked the State Services Commissioner to conduct an inquiry in order to look at the facts and recommend steps to prevent such an incident being repeated.