Full Report
Ex-NCSC chief Ciaran Martin asked to examine how forecast ended up online ahead of schedule The Office for Budget Responsibility (OBR) has drafted in former National Cyber Security Centre (NCSC) chief Ciaran Martin to sniff out how its Budget day forecast wandered onto the open internet before the Chancellor had even reached the dispatch box.…
Analysis Summary
# Incident Report: OBR Pre-Publication Budget Forecast Leak
## Executive Summary
The Office for Budget Responsibility (OBR) accidentally made its November 2025 Economic and Fiscal Outlook (EFO) available on a publicly accessible server prior to the Chancellor's official announcement. The incident was not the result of a targeted cyber attack but rather a serious procedural error that allowed reporters to discover the document by guessing a predictable URL pattern. The OBR initiated an immediate internal investigation, guided by former NCSC chief Ciaran Martin, to establish the sequence of events and prevent recurrence.
## Incident Details
- Discovery Date: Shortly before the Chancellor's Budget speech (Exact time not specified, but accessible 45 minutes prior to announcement)
- Incident Date: Prior to the Chancellor's speech on Friday, November 28, 2025 (UTC time noted)
- Affected Organization: Office for Budget Responsibility (OBR)
- Sector: Government / Public Finance Forecasting
- Geography: United Kingdom (Implied, related to UK Budget process)
## Timeline of Events
### Initial Access
- Date/Time: Prior to the Chancellor delivering the Budget speech (Accessible 45 minutes early)
- Vector: Predictable File Path/URL Guessing (Procedural Error, *not* a classic external cyber intrusion)
- Details: The EFO document was quietly uploaded to a publicly accessible server using a URL structure highly similar to previous official documents, making discovery trivial for those familiar with the pattern.
### Lateral Movement
- Not Applicable. The incident appears to be a direct upload error to an accessible location rather than a system intrusion.
### Data Exfiltration/Impact
- Impact: Headline policies of the Budget were effectively leaked to reporters before the official announcement, making the formal embargo optional and compromising procedural integrity ("monumental cock-up").
### Detection & Response
- Detection: Reporters quickly discovered the file by guessing the URL.
- Response actions taken: OBR Chair Richard Hughes apologized; an investigation was immediately launched, overseen by the OBR's Oversight Board and guided by Ciaran Martin (former NCSC chief) and Treasury IT/security specialists.
## Attack Methodology
- Initial Access: **Configuration Error / Procedural Oversight** (Uploading a confidential document to a publicly accessible endpoint with predictable naming conventions.)
- Persistence: Not Applicable.
- Privilege Escalation: Not Applicable.
- Defense Evasion: Not Applicable (No active defense evasion was necessary as the file was publicly reachable).
- Credential Access: Not Applicable.
- Discovery: **Open Source Intelligence / Pattern Recognition** (Reporters remembered the naming convention from previous years).
- Lateral Movement: Not Applicable.
- Collection: Not Applicable.
- Exfiltration: Simple file download via direct URL access.
- Impact: Reputational damage and premature disclosure of sensitive government fiscal policy.
## Impact Assessment
- Financial: Not specified, but implied costs related to remediation and external investigation.
- Data Breach: Pre-publication economic forecasts (no mention of system compromise or personal data theft).
- Operational: Disruption to the planned sequence of the Budget announcement.
- Reputational: Significant damage to the OBR's perceived professionalism, leading to public satire and scrutiny.
## Indicators of Compromise
- No traditional technical IOCs were provided as the root cause was procedural. Indicators are observational:
- Behavioral indicators: File appearing on a public server minutes/hours before scheduled release time.
- Network indicators: Direct HTTP requests accessing the document file path: `[Defanged URL]/[YYYY/MM/EFO_Filename.pdf]`
## Response Actions
- Containment measures: The investigation terms of reference were publicly released, indicating an effort to contain the fallout through transparency.
- Eradication steps: Terms of reference mandate "determining the actions needed... to ensure no future breaches."
- Recovery actions: Launching a formal investigation led by an external cyber expert (Martin) to restore confidence and correct the publication pipeline.
## Lessons Learned
- Key takeaways: Public bodies must rigorously scrutinize file hosting and naming conventions for pre-release documents, regardless of whether the main OBR website links to them.
- What could have been done better: Implementing a multi-stage digital release pipeline with mandatory security checks or utilizing an access-controlled repository until the moment of official release, rather than relying on simple URL predictability.
## Recommendations
- Prevention measures for similar incidents: Mandate technical checklists for the publication pipeline ensuring that documents are only moved to publicly queryable servers *after* the scheduled release time has passed, or by using time-locked access controls.
- Establish clear access control policies for all staging environments used for sensitive document preparation.