As the OBR investigates how the Autumn Budget was published early, attention is turning from cyberattacks to something far more mundane: poor file management and predictable URLs.
The UK government’s spending watchdog has until Monday to explain how details of the Autumn Budget were published almost an hour before the chancellor addressed Parliament – but early indications suggest the cause may be as simple as poor file handling and predictable naming conventions.
The Office for Budget Responsibility (OBR) said on Thursday that a link to its key budget document became publicly accessible ahead of the chancellor’s speech.
Chair Richard Hughes apologized, calling it a “technical error.”
As reported by Cybernews, the OBR has brought in former National Cyber Security Centre chief Ciaran Martin to help investigate what went wrong.
His involvement initially prompted speculation of external interference. But whispers in Whitehall suggest the opposite: an internal publishing slip that made the file easy to find.
What we know so far
Hughes told journalists: “It wasn't published on our website but there was a link that somebody managed to find… As soon as it was discovered we took action to take it down.”
Whitehall sources indicate that the file was uploaded to a folder previously used for other budget releases, following a predictable and standardized naming pattern. That made it easy to guess the URL – or even automate attempts to find it.
A source told The Daily Mail that the PDF could be accessed simply by replacing the word “March” with “November” in the web address of an earlier forecast.
Rob Anderson, head of reactive consulting at Reliance Cyber, told Cybernews that this type of weak naming plays directly into the hands of attackers.
“Threat actors use a technique called fuzzing, usually automated – to discover hidden files, folders or configurations,” he said.
Independent cybersecurity advisor Ian Kayne says the OBR appears to have underestimated how easily information assets can be located.
“This type of risk has been documented for years. It’s often called ‘Google dorking’ – using advanced search operators like site: or filetype: to uncover files that were never meant to be public,” he said.
The real issue, Kayne adds, is that "a critically important information asset wasn’t managed, controlled or stored appropriately."
Taking a PDF from draft to live – safely
According to Anderson, the failure may stem from weak content-management processes.
“CMSs can be timed to release documents, moving items from staging areas into live environments,” he said.
“Staging areas allow checks for security and correct operation. If automated systems are disproportionate, then clear manual policies should apply – embargoed documents uploaded only at the correct time, randomized long filenames, and web application firewalls to prevent fuzzing or exploitation.”
Kayne says organisations need to take a risk-based approach to safeguarding sensitive files.
“Know your assets. Maintain accurate asset registers – you can’t protect what you haven’t identified,” he said.
“Understand the data status and be crystal clear on the difference between reversible pseudonymisation and irreversible anonymization.”
While we’ll have to wait for Monday’s findings, one likely recommendation is that departments adopt a more holistic approach to managing sensitive information and pay closer attention to how PDF documents are handled before publication.
Anderson stresses that the PDF format itself isn’t the problem.
“PDF security features are widely used for confidentiality, integrity and non-repudiation,” he said.
“They can be very secure when managed properly.”
Unlock exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked