The incoming Central Bank of Ireland governor Gabriel Makhlouf "acted unreasonably" in characterising as "hacking" a leak of parts of the 2019 budget from his department's website, New Zealand's public service watchdog has found.
Mr Makhlouf leaves his post as head of New Zealand's treasury with a "major hit [to his] personal and professional reputation," according to his employer the State Services commissioner, Peter Hughes.
However, Mr Hughes said that according to legal advice the conduct did not constitute, “a sackable offence.”
He said Mr Makhlouf’s imminent departure made an official reprimand or other punitive action not practicable.
Deputy commissioner of state services, John Ombler, who authored the review, said Mr Makhlouf responded to leaked budget data from treasury with insufficient consideration of his department's deficiencies.
“I think that there was far too much emphasis on looking at the actions of the person who accessed the website, rather than the failure,” Mr Ombler said.
In the wake of the leak, it emerged that the treasury department had mistakenly made the information available itself through a public web search tool. The opposition National Party accessed and published the data two days ahead of the budget’s official release, setting off a political furore.
In a statement, Mr Makhlouf said the investigation into his actions had been was conducted “thoroughly and fairly”.
“ I have read the report carefully and encourage others to do so,” he said. “I apologise that budget information was not kept secure.”
He said the inquiry “would help us understand exactly how that happened and how to stop it happening again”.
“The report confirms I acted at all times in good faith and with political neutrality,” Mr Makhlouf notes. “It also confirms that I acted reasonably, other than in my descriptions of the incident. I am pleased that my honesty and integrity are not in question.”
Mr Ombler found that Mr Makhlouf would have understood the situation more clearly if he had better used the advice available to him, chiefly the advice of the government cyber security bureau.
Before Mr Makhlouf made a public statement characterising the leak as a hack, staff in his department had already adjusted internal computer systems to prevent any further leak, and had been advised by bureau that no attack had taken place.
“Hacking is an unuseful word to use,” Mr Ombler said. “And I think it’s unreasonable in that if he [Mr Makhlouf] had sought further advice I think it highly probable he would not have used it.”
Following the leak, Mr Makhlouf alleged in public statements that the data had been "deliberately and systematically hacked", advice that he passed on to finance minister Grant Robertson, who then repeated the claim in a press release.
The report found that Mr Makhlouf acted in good faith in all respects, and that his actions were not politically motivated.
Mr Hughes said he has not been in touch with Irish officials.
The news comes at a critical moment for the Central Bank and Mr Makhlouf, who is due to take up his post in Dublin on September 1st.
Minister of Finance Paschal Donohoe has said his Government does have the ability to annul the appointment of Mr Makhlouf, but only if there is grave misconduct.
Mr Hughes declined to use the word “misconduct”.
He said he has not sought legal advice on its implications. He said he was “disappointed” that Mr Makhlouf “failed to take personal responsibility for the treasury security failure.”
“These are big organisations, stuff happens, things go wrong,” Mr Hughes said. “And when it does I want people to own it, fix it, learn from it, and be accountable.”
Deputy leader of the National Party Paula Bennett said Mr Makhlouf "should have offered his resignation following the early release of budget information, and at the very least should apologise for how he handled it."
Mr Makhlouf has not offered to resign, Mr Hughes said.