Article Details

OBR drags in cyber bigwig after Budget leak blunder. Ex-NCSC chief Ciaran Martin asked to examine how forecast ended up online ahead of schedule. The Office for Budget Responsibility (OBR) has drafted in former National Cyber Security Centre (NCSC) chief Ciaran Martin to sniff out how its Budget day forecast wandered onto the open internet before the Chancellor had even reached the dispatch box. Earlier this week, the OBR's November 2025 Economic and Fiscal Outlook (EFO) was quietly uploaded to a publicly accessible server in advance of publication. While it wasn't actually linked or listed on the OBR website, reporters quickly discovered the file simply by guessing its URL, which was so similar to that of a previous official document that the only real cyber skill required was remembering how months work. The link, which was accessible 45 minutes before the Chancellor rose in the Commons, spilled the Budget's headline policies before she'd even announced them, marking a monumental cock-up that made the embargo optional. OBR chair Richard Hughes was quick to apologize, calling the leak "a serious error" and promising swift action. "I felt personally mortified by what happened," he told BBC Radio 4's Today program. "The OBR prides itself on our professionalism. We let people down... and we'll make sure it doesn't happen again." The budget watchdog has launched an investigation [PDF] into the blunder, to be published by December 1, that will be overseen by the OBR's Oversight Board, and guided by Martin as expert advisor, alongside Treasury IT and security specialists. Martin, who founded the NCSC before stepping down in 2020, is now a cybersecurity advisor across public and private sectors – though he probably never imagined being summoned for what feels like the IT equivalent of mislabeling a sandwich in the office fridge. Still, the brief is written in seriousness, even if the leak was not. The terms of reference require "establishing the events that made it possible to access the EFO early," and "determining the actions needed... to ensure no future breaches." Whether Martin can restore faith, or merely inspire more online comedy, remains to be seen – though the comedy section is already live. As one Reddit user tartly put it: "You've uploaded it early with an easily guessable name," while another said: "Calls in cyber expert? How much are they wasting on paying a cyber expert to tell them not to upload the fucking document until it's ready to be published?" But even satire has a serious backbone: the terms of reference for the investigation spell out that the review must uncover what made early access possible, assess the publication pipeline that enabled it, and recommend both corrective measures and a timeline for implementation. The irony, of course, is that journalists will probably read the findings before the civil servants do – by simply guessing the URL.