> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
2025-Q1-earnings.pdf - smash it every 5 seconds - rarely worked out, generally a few seconds head start at best. By the time you pull up the pdf and parse the number from it the number was on the wires anyway. Very occasionally you get a better result however.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
They didn't assume nobody would guess the URL.
They did take active steps to ensure the data was only available at the correct time.
But they didn't check that their access control was working, and it wasn't.
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
I think most of the tech world heard about the Nobel Peace Prize award so it doesn't seem that suspicious to me that somebody would just poll urls.
Especially since before the peace prize there have been issues with people polling US economic data.
My point is strictly, knowledge that they should poll a url is not evidence of insider activity.
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
I found this one https://wordpress.org/plugins/prevent-direct-access/
To me it really doesn't make any sense to have that kind of giant hole in your permissions system from the start.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
It's not a technical error at all!
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
The problem was the staff. It's a human error.
Given the importance of keeping this information confidential, they really ought to have a custom system for releasing it, not just configuring a third party Wordpress plugin.
It makes me wonder what exactly is driving this.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
A tax on a £5M home is not a tax on the moderately wealthy, it’s a tax on the wealthy.
I realise “it’s the economy, stupid”, but still it feels like outsized outrage.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
I really don’t agree. Look at the first year of 1997 Labour:
* Good Friday agreement signed and referendum * Introduction of Minimum Wage * Human Rights act introduced and passed * Scottish and Welsh devolution set out, Parliament voted on it, referendums passed * Bank of England independence
A government coming into a mess of a country on a platform of change cannot just fiddle around with minor things, which is what many of the changes they have done, though positive, are. And at the same time, they’ve also wasted so much political capital on some really stupid things that it’s hard to see where they can go from here.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
the effects are not minimal
if you're crooked: getting this sort of information early is potentially extremely lucrative
(why crooked? because trading on UPSI is illegal)
the regulations specifically go into great detail about official publications and formal circulation
would a reasonable person consider this a leak? then it's UPSI
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
I have had regulatory training on this exact matter, and it covers unintended leaks explicitly
and there is no way I would trade
> The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
no, it isn't the point
the regulator cares that participants are seen to be clean, practicing "fit and proper" behaviour
if a reasonable person would think it was dodgy, they'll have your head (and your certification to practice)
regardless of whether or not it was illegal
Trading on public information is fit and proper (Edit: Indeed, a technical term, but that does not make my statement incorrect, or does it?)
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
by a regulated investment firm? specifically on UPSI?
"fit and proper" is a technical term in the FCA manual
I would not risk my regulator not considering me as such by trading on this information
if you would: provide your reference number, and we can ask them if they agree!
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one
We don't actually know that, it's just that the report did hit Reuters pretty swiftly.
Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?
A honest-to-goodness proper fucking omnishambles.
11:52 - senior OBR and Treasury officials telephoned each other to discuss the breach. These Treasury officials made OBR staff aware of the URL leading to the PDF of the EFO that was accessible.
11:53 - OBR staff and the web developer attempted to pull the PDF from the website, and also to pull the entire website (e.g. via password protection), but struggled to do so initially due to the website being overloaded with traffic.
11:58 - an email was received to the OBR press inbox from a Reuters journalist confirming that Reuters had published details of the EFO and asking for comment.
12:07 - the EFO PDF was renamed by the web developer.
12:07 - the EFO PDF appeared on the Internet Archive. This means it was, at that precise time, visible entirely generally on the open internet via search engines. It is assumed that this happened very briefly in the rush to remove it.
The problem was essentially that, through a misconfiguration, they published it early.
Using WordPress plugins (with the exception of a limited sub-set) is like chewing gum you find on the sidewalk.
A technical oversight fail at multiple levels.
My guess is that the team responsible for this didn’t anticipate or at worst were not informed of its value to particular groups of people, at least not to a degree that would’ve warranted extra security measures.
Vs. if you just let Will and Pete do it in WordPress (or on Facebook, or such) then needed tasks might actually be accomplished.
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.
Note that GES works a bit different to traditional Cloudflare implementations, HTML requests are basically passed through to the WP Engine NGINX reverse proxy server that's in front of the WordPress site (as opposed to being heavily cached with Cloudflare). Static assets, like a PDF - would indeed be cached with GES.
Edit: Or (and more likely) cached/copies of the original.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::obr-leaky-bucket/myfirst.pdf",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2025-11-26T12:30:00"
}
}
}
]
}WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)
Even if that is the case, the backend must validate.
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
At the same time, almost every piece of legislation in recent years has been relentlessly leaked and taken apart way before the official announcement in parliament, so this is a wee bit ridiculous.
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.