OBR Leak: What Really Happened?

You likely saw all the drama on budget day here in the UK last week on 26th November, when the Office for Budget Responsibility (OBR) published its forecasts an hour before the Chancellor’s budget statement in the House of Commons.

This forecast document is absolutely never, under any circumstances, meant to be published beforehand, as it gives advance notice of all the key points the Chancellor is about to announce.
 

So, what happened?

Was it a “leak”? No. It was not maliciously leaked by a member of the OBR team on purpose.

Was it a “hack”? No.It was stated that no one tried to hack into the OBR’s website or systems and got the document by breaching security.

Then what really happened? It was a combination of a good old-fashioned manual error and sloppiness from a web developer or web content writer and some smart journalists.

What seemed to happen is that the OBR team created a draft version of the web page that was ready to be published at its scheduled time. Everything is still good in this part, since the draft page could only be viewed by people with password-protected access to their Content Management System (CMS).
 

But the next thing they didis where the trouble happened

They added a PDF file that contained all the juicy forecast information to the main media library of the website. What does this mean? Uploading files there does NOT add them in draft status, and they can technically be found publicly if someone knows where to look!

Now, normally adding a file with a unique name in this way is still considered to be fairly low risk, even if inadvisable, because the only way someone could get to it is if they knew the full folder and filename path.

However, the said web developer made their second mistake by using the same file name template astheir previous six-monthly forecast statement! Because of this, some savvy journalists were able to easily guess the new filename and access it early. It’s that simple.
 

Let’s take a look at their files below:

You can see that the March 2025 forecast filename was: 
https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outlook_March_2025.pdf

And all they changed for last week was the month part of the filename to November: 
https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outlook_November_2025.pdf 
 

In conclusion...

This incident only happened because of manual error and sloppy practices from the OBR’s web team—nothing malicious or any kind of deliberate leak or conspiracy.

If only they had added a random number on the end of the filename, then it likely wouldn’t have been found because it would have been unguessable. There are also other ways to protect files from being viewed before being fully published, which they should have been keen on implementing.
 

How can you prevent something like this from happening?

The OBR uses WordPress for their website, but this kind of issue could happen on other CMS systems too. While we often point out issues with WordPress, and there are many, this particular issue wasn’t an inherent problem with that system.

What’s important to note is that this kind of issue could happen for commercial businesses too. Maybe you’re using WordPress and put documents in your media library there, thinking they are secure and hidden from the public since you didn’t actually link them directly to a web page.

However, that’s not the case. As OBR Chairman Richard Hughes can now testify, having had to resign just for a simple mistake, which they didn’t expect to bring huge consequences.

At Inspire, we can give your website a once-over to check for any security weaknesses or help you out with any other aspect of your digital presence. Just get in touch on sales@inspire.scot or call 01738 700 006 to book an appointment!