I'll wait and see
>> OBR chair Richard Hughes... promising swift action
He will assure the public he will tut very loudly indeed about this. Lessons must be learned.
OBR drags in cyber bigwig after Budget leak blunder
The Office for Budget Responsibility (OBR) has drafted in former National Cyber Security Centre (NCSC) chief Ciaran Martin to sniff out how its Budget day forecast wandered onto the open internet before the Chancellor had even reached the dispatch box. Earlier this week, the OBR's November 2025 Economic and Fiscal Outlook (EFO …
-
-
-
-
Friday 28th November 2025 12:50 GMT Headley_Grange
Re: I'll wait and see
This was part of his statement reported in the UK Independent.
“Personally, I serve day-to-day subject to the confidence of the Chancellor and the Treasury Committee. If they both conclude, in light of that investigation, they no longer have confidence in me then, of course, I will resign, which is what you do when you’re the chair of something called the Office for Budget Responsibility.”
-
Friday 28th November 2025 13:37 GMT Like a badger
Re: I'll wait and see
Seems to me a fuss about not much.
Back in the day when Chancellors treated Parliament with respect, then it would have been a big deal. But this time, every major decision in the budget was "ballooned" well beforehand, and the decision based on people's responses was also leaked.
-
-
-
-
Friday 28th November 2025 23:10 GMT hoola
Re: I'll wait and see
First thing is he needs to be sacked.
All too often now completely preventable cock ups like this occur and the response is an apology with no sanctions on any one at the top. We don't know about further down the chain it is also unlikely.
If the results of this stupidity were those responsible being sa ked it proveds a substantial incentive to take more care.
-
Sunday 30th November 2025 22:16 GMT ovation1357
Re: I'll wait and see
I wonder if I'll ever understand this mentality of sacking the top dog when somebody numerous layers beneath them cocks something up.
Firstly, unless there is evidence to suggest they are directly involved in the cock up, then you're sacking the wrong person.
Secondly, all too often senior people get the luxury of just fucking off after something like this. Surely the much harder path is to make them stay in post and deal with the aftermath.
(And don't call me Shirley)
-
Monday 1st December 2025 09:06 GMT nobody who matters
Re: I'll wait and see
"I wonder if I'll ever understand this mentality of sacking the top dog when somebody numerous layers beneath them cocks something up."
I don't suppose you ever will to be fair. Far too many people nowadays don't grasp it either, and it is an attitude that has been increasingly widespread for several decades.
It is ultimately about taking responsibility, and the buck always stops with the person at the top. It is part of the job of the head honcho that you are in control of the whole organisation, and any failure reflects on them directly. It is for them to know what is being done and make sure the people beneath them are doing their job properly.
Where someone has presided over the use of procedures and processes that are unsuitable or inadequate, and presided over the continued employment of staff who are responsible for designing and implementing these sub-standard practises, it is unlikely that the person who oversaw all this is going to be much use in sorting out the aftermath. Much better to avoid the risk of them making further failures in control in the future for them to go.
Years ago, most top management understood their responsibilities, and would tender their resignation almost immediately as a matter of personal honour. It was then for the board to decide whather to accept it or not. Nowadays there seems to be far too much of the "it's not my fault" attitude from top management who aren't really capable of carrying out the job they have been charged with.
The bottom line is that this release of the budget details prior to the Chancellor making the announcement absolutely <should not> happen, and there is no acceptable excuse for it, just as there is no acceptable excuse for Government Ministers and their departments releasing details early either.
-
-
-
-
-
Friday 28th November 2025 13:46 GMT Jellied Eel
Cui bono?
This also explains the market reaction- since everyone's HFT web crawlers would just be sitting refreshing the expected filename all morning
They wouldn't need to do that, just crawl the OBR's website for any new document. The fact that there was a lot of market activity on the early news should probably explain why there's an investigation, ie who uploaded it early and did they financially benefit?
-
-
-
Saturday 29th November 2025 00:27 GMT Anonymous Coward
> The only other thing to find out is whodunnit.
I can tell you with 99% confidence: the OBR's web team.
And I have a degree of sympathy for them because publishing on the web used to be simple. But now I bet there's a complicated content management system to navigate - so much so that a file can't simply be uploaded as soon as the Chancellor sits down. Instead the process takes hours so they have to upload in advance and delay linking to it until the last possible moment.
Sooner or later a cock-up like this will occur.
(Even the pattern in the filename that journalists were able to guess is a symptom of the inflexibility of the upload process.)
-
Saturday 29th November 2025 14:42 GMT An_Old_Dog
CMSes
I did a DDG on "content management system" FAQ
First web hit said, "A Content Management System is a web application, usually run on a web server, to help create and maintain a website. It allows developers to design and build a professional website using their web development skills, but also provides tools to help the layman maintain content without needing those skills."
Further down, regarding their specific CMS, it said,
"CMS Made Simple separates layout code from content code, so that editors can manage content without having to know much about how websites work whilst designer/developers can easily edit layouts and apply them on numerous pages."
That all promotes the assumption that "professional website" == "dancing-monkey-featured, code-laden website".
The true purpose of a government website is to convey information as clearly as possible. A false (subverted) purpose of a government website is to provide a vehicle of expression for asthete-snob meddlers and micromanagers.
So. Dump the code and the dancing monkeys. Having dumped the code, dump the CMS as not needed. This reduces the attack surfaces, and reduces complexity for the content-creators.
Create templates for the content creators. They get black text on a white background. They get a serifed proportional-spaced font (Times Roman or similar), a sans-serif proportional-spaced font (Arial or similar), a serifed fixed-pitched font (Courier 10 or similar), and a sans-serif fixed-pitch font (Monospace or similar).
Keep It Simple, Stupid.
Hire a skilled admin who has the ability to create sensible names, and assign sensible permissions -- so that your company or organisation's logo isn't replaced with a photo of Vladimir Putin, Donald Trump, or 'Hello Kitty' by some joyriding teenaged 'leet hax0r -- and you're done.
Have a page you want to pre-position, but not publish yet? Have the www folder owned by root, group-accessible by user www, permission the pre-position page folder via
chmod 700, copy the files in as (sudo'd) root, permission the files viachmod 640, and you're done. Publish by chmod-ing the folder750.The copying and permission changes should be done by the admin, not by the content creators. Alter the permission names as needed for MS-Windows web servers.
But that is not "the way things are done", it will not be the way things are done, and problems like to the one described in the article will continue to occur.
-
Sunday 30th November 2025 22:22 GMT Anonymous Coward
Sounds a bit like an internal page on a big name Service desk we use for requesting TLS Certificates which not only requires you to fill in all the same details as are embedded in the CSR file, but the tool cannot accept uploads with a .csr extension so they have to be renamed .txt
Got to love government systems!
-
Sunday 30th November 2025 11:09 GMT Roland6
According to the Guardian report:
Reuters, the agency that first published excerpts of the outlook on its news wire, revealed on Thursday how it had obtained the document.
It said: “The document, which is usually published after the finance minister’s speech has ended, was uploaded to the OBR website and available to download on an unprotected link.
“The link was not advertised on the website but the OBR has used the same web address, or URL, for previous budget documents, changing only the date. A Reuters reporter, in preparation for covering the budget, went to the publicly available URL shortly after 1130 GMT on Wednesday.”
Which probably explains why no one is actually saying what the URL was, because it is well known to journalists who expect to be able to use a variant of it next year…
-
-
-
Friday 28th November 2025 14:39 GMT Bebu sa Ware
"The OBR prides itself on our professionalism."
Stock weasel.
We in the [cockup] firm pride ourselves on our [insert admirable quality] (the lack of which we have recently clearly exhibited.)
The quoted phrase is a little peculiar or weaselly.
Might have been more precisely phrased if inaccurately: "We in the OBR pride ourselves on our professionalism."
-
Sunday 30th November 2025 02:23 GMT Anonymous Coward
Yes we all laughed ...
We all 'know' on the basis of the reported problem that the 'expert' is not needed and is a waste of money.
Somebody moved a file too early and with the 'wrong' permissions so it could be accessed.
Someone named the file by changing the last name used months before.
Pretty much a cut ... paste ... edit link ... test it works ... forget to change permissions to prevent access until the correct time.
The use of the 'expert' is the usual 'Security Theatre', looks good but is pointless.
Sacking the 'top man' is also 'theatre' as the people who are doing the work are the same, the attitudes to security are the same and it will happen again in some other organisation or more likely some part of the civil service as the level of control is the same.
This is not a trivial mistake, it is serious as it shows a lack of concern about following the rules to the letter.
This is something that has been showing for the last few decades as successive govts have had many leaks etc with virtually no comeback on the people involved.
The govt in the UK is founded on old and arcane rules & processes that mean something and allow the process of government to work here.
If we allow things to get more and more lax we are damaging our governance in relation to government.
Government becomes playacting or pretending to govern as of old while shortcuts and workarounds are actually being done.
Sometimes doing things the old & proper way has a purpose.
:)
-
Monday 1st December 2025 08:47 GMT mr-slappy
Outsourced?
I don't suppose we'll ever find out whether the OBR's operations are outsourced, and if so:
- which useless massive services company was responsible for the cock-up
- which poor overworked and underpaid ops person in a third-world country will be fired for following the instructions on a work order (which was issued in error by another overworked and underpaid person)
- which senior OBS manager won't be fired for appointing the lowest bidder in the first place
Biting the hand that feeds IT
