The Office for Budget Responsibility (OBR) was the target of almost a quarter of a million cyberattacks last year, a dramatic rise that came just weeks after the financial regulator accidentally published the chancellor’s budget online.
Freedom of information data obtained from think tank Parliament Street shows the OBR was subject to 238,678 hostile incidents in the last 12 months, including spam, malware and phishing attempts. This represents a 162% increase over last year’s 90,958 attacks. Officials say all attacks were successfully blocked.
The revelations add to growing attention on the organization following the resignation of chairman Richard Hughes, who resigned after the OBR’s flagship Economic and Financial Outlook (EFO) appeared online about 40 minutes before Rachel Reeves presented her budget.
A formal investigation led by Ciaran Martin, the former head of the National Cyber Security Centre, concluded that the leak was due to human error rather than a hostile cyber breach.
Martin’s report identified a “misunderstanding” of a WordPress plugin – Download Monitor – coupled with an error in configuring the OBR server to block direct file access. The oversight allowed external users, including journalists, to find and download the document simply by changing a URL.
The report noted that configuring WordPress “can be cumbersome” and that mistakes of this kind are “easily made,” but the consequences in this case were profound, triggering political chaos and shaking financial markets.
Cybersecurity experts say the scale of attempted attacks on the OBR underscores the vulnerability of public bodies and the need for much stricter digital controls.
Graeme Stewart, head of public sector at Check Point, said: “These figures highlight the growing number of increasingly sophisticated cyberattacks targeting government organisations.
The accidental release of market-sensitive documents should serve as a wake-up call to the risks associated with sloppy website management and weak security protocols.”
He added that outages of this nature “increase the strain on already overburdened systems” and that stronger processes and defenses need to be put in place “immediately.”
Kenny MacAulay, CEO of accounting software platform Acting Office, warned that the risks extend far beyond a single department: “Data leaks can cause major problems for public bodies. Secure, well-managed publishing systems are essential.”
The consequences could be catastrophic – not just for the ministry concerned, but for the entire UK economy.”
The regulator, whose forecasts underpin every budget, is now trying to boost security and restore confidence after one of the most devastating incidents in its 14-year history. With nearly a quarter of a million cyber attempts recorded in a single year – and public scrutiny tighter than ever – the OBR faces intense pressure to demonstrate that its systems, processes and governance are fit for purpose before the next financial event.
