OBR drags in cyber bigwig after Budget leak blunder
- Reference: 1764331330
- News link: https://www.theregister.co.uk/2025/11/28/obr_ciaran_martin/
- Source link:
Earlier this week, the OBR's November 2025 Economic and Fiscal Outlook (EFO) was quietly uploaded to a publicly accessible server in advance of publication. While it wasn't actually linked or listed on the OBR website, reporters quickly discovered the file simply by guessing its URL, which was so similar to that of a previous official document that the only real cyber skill required was remembering how months work.
The link, which was accessible 45 minutes before the Chancellor rose in the Commons, spilled the Budget's headline policies before she'd even announced them, marking a monumental cock-up that made the embargo optional.
[1]
OBR chair Richard Hughes was quick to apologize, calling the leak "a serious error" and promising swift action. "I felt personally mortified by what happened," he told BBC Radio 4's Today program. "The OBR prides itself on our professionalism. We let people down... and we'll make sure it doesn't happen again."
[2]
[3]
The budget watchdog has launched an [4]investigation [PDF] into the blunder, to be published by December 1, that will be overseen by the OBR's Oversight Board, and guided by Martin as expert advisor, alongside Treasury IT and security specialists.
[5]UK digital ID plan gets a price tag at last – £1.8B
[6]UK Digital Services Tax raises £800M from global tech giants
[7]Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth
[8]Get paid like a prime minister to tame Home Office IT chaos
Martin, who founded the NCSC before stepping down in 2020, is now a cybersecurity advisor across public and private sectors – though he probably never imagined being summoned for what feels like the IT equivalent of mislabeling a sandwich in the office fridge. Still, the brief is written in seriousness, even if the leak was not. The terms of reference require "establishing the events that made it possible to access the EFO early," and "determining the actions needed... to ensure no future breaches."
Whether Martin can restore faith, or merely inspire more online comedy, remains to be seen – though the comedy section is already live.
As one Reddit user tartly put it: "You've uploaded it early with an easily guessable name," while another said: "Calls in cyber expert? How much are they wasting on paying a cyber expert to tell them not to upload the fucking document until it's ready to be published?"
[9]
But even satire has a serious backbone: the terms of reference for the investigation spell out that the review must uncover what made early access possible, assess the publication pipeline that enabled it, and recommend both corrective measures and a timeline for implementation. The irony, of course, is that journalists will probably read the findings before the civil servants do – by simply guessing the URL. ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSnVKo3_c6afArwMBhe8bAAAAEQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSnVKo3_c6afArwMBhe8bAAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSnVKo3_c6afArwMBhe8bAAAAEQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://obr.uk/docs/dlm_uploads/Investigation-into-November-2025-EFO-publication-error.-Terms-of-reference.pdf
[5] https://www.theregister.com/2025/11/28/digital_id_cost/
[6] https://www.theregister.com/2025/11/28/uk_digital_services_tax/
[7] https://www.theregister.com/2025/11/07/bank_of_england_says_jlrs/
[8] https://www.theregister.com/2025/09/10/home_office_cdio/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSnVKo3_c6afArwMBhe8bAAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Re: I'll wait and see
He's offered to resign, which is more than tutting very loudly...
Re: I'll wait and see
Did he?
The wording of the reports I saw on the matter simply said he didn't rule-out resigning, which is quite a step from actually offering to.
Re: I'll wait and see
This was part of his statement reported in the UK Independent.
“Personally, I serve day-to-day subject to the confidence of the Chancellor and the Treasury Committee. If they both conclude, in light of that investigation, they no longer have confidence in me then, of course, I will resign, which is what you do when you’re the chair of something called the Office for Budget Responsibility.”
Re: I'll wait and see
Seems to me a fuss about not much.
Back in the day when Chancellors treated Parliament with respect, then it would have been a big deal. But this time, every major decision in the budget was "ballooned" well beforehand, and the decision based on people's responses was also leaked.
> Me who wrote the scheduler a few months ago and have just found out very publicly I forgot to account for when the hour goes back
An old memory a good amount of us might share. Not the sexy scoop the papers will be expecting.
It really does seem that the entire thought process was unlinked documents are inaccessible. It's not even a good time zone snafu story
chmod 644?
One wonders
classic IDOR
NCSC guy will be wondering how he can stretch this from 5 minutes to at least a second day at his contractor rates.
so far after 4 coffees he's gotten it to 45 minutes and he's getting too jittery to try for a 5th or he'll be dead by lunchtime
Classic!
Now begins the search for the guilty, punishment of the innocent and awards for non-participants.
Credit to the reporter who spotted the pattern in the budget filenames --->
This also explains the market reaction- since everyone's HFT web crawlers would just be sitting refreshing the expected filename all morning
Cui bono?
This also explains the market reaction- since everyone's HFT web crawlers would just be sitting refreshing the expected filename all morning
They wouldn't need to do that, just crawl the OBR's website for any new document. The fact that there was a lot of market activity on the early news should probably explain why there's an investigation, ie who uploaded it early and did they financially benefit?
It doesn't really need much investigation: "quietly uploaded to a publicly accessible server in advance of publication". The only other thing to find out is whodunnit.
He sounds serious
You might almost believe he is sorry and intends to find out why this happened and prevent repeats as he never once said 'lessons' or 'learning from this'
Thank goodness they had a made for purpose CRM system
and not some cheap and nasty FOSS solution that has been tried and tested for decades.
I feel safe and secure knowing how the UK government is so competent in things I am an expert in.
“Remembering how months work”
That can be very difficult to do properly and can get very messy when writing code for international use.
"The OBR prides itself on our professionalism."
Stock weasel.
We in the [cockup] firm pride ourselves on our [insert admirable quality] (the lack of which we have recently clearly exhibited.)
The quoted phrase is a little peculiar or weaselly.
Might have been more precisely phrased if inaccurately: "We in the OBR pride ourselves on our professionalism."
I'll wait and see
>> OBR chair Richard Hughes... promising swift action
He will assure the public he will tut very loudly indeed about this. Lessons must be learned.