A misconfigured WordPress extension led to the premature disclosure of last week’s UK autumn budget, a report has found, prompting OBR head Richard Hughes, who is responsible for overseeing government spending, to resign.
These are the findings of an OBR-commissioned probe to look into how the UK government’s economic forecast was leaked last week, almost an hour before Chancellor Rachel Reeves was due to announce its contents in parliament.
The 19-page report, signed by two non-executive OBR members, Baroness Hogg and Dame Susan Rice, with input from cybersecurity specialist Ciaran Martin, also suggested that unauthorized access to budget documents may have been possible for years, and there’s some evidence that it happened in the UK’s March budget as well.
Even before the publication of yesterday’s findings, many experts and Whitehall staff anticipated a labelling/publishing error rather than the work of cybercriminals.
The OBR itself has described the leakage of the market-sensitive documents as the “worst mistake” in its 15-year history. So, what went wrong?
What are the details of the OBR leak?
While former National Cyber Security Centre chief Martin’s usual investigations often reveal the work of hostile state actors, the conclusions he reaches from his technical analysis, published on Monday afternoon, are that basic publishing errors and naming conventions that he usually expects to see “in a small to medium-sized business” were to blame.
Martin details in the report that the root cause lay in "two mutually contributory configuration errors" related to the creation of draft webpages that follow known naming conventions.
Curious what others think about this story? Contribute your thoughts to the debate below.
These errors were a misuse of a WordPress plugin called Download Monitor and a failure to configure the server to block direct access to download directories.
“The creation of a URL in the clear is a feature of the plug-in which requires specific mitigation if it is not to lead to the document unintentionally being visible before publication,” the report said
“This was obviously not understood within the OBR’s online publishing function, so the Download Monitor plug-in should not have been used in this way without that understanding.”
Additionally, the website server lacked server-level configuration that could have prevented the budget from being accessed prematurely.
"If configured properly, this will block access to the clear URL and return a 'forbidden' message," the report explains.
"This is the second contributory configuration error – the server was not configured in this way, so there was nothing to stop access to the clear URL bypassing protections against pre-publication access."
The report concludes:
“In short, the technical causes of the premature access were two mutually contributory configuration errors, one in the configuration and use of Download Monitor, a third-party WordPress plug-in, and one in the configuration of WordPress and the underlying server.”
OBR report
Why did the OBR use WordPress?
The OBR was founded to be independent of the government and to prevent politicians from playing fast and loose with economic forecasts. In keeping with its remit, ten years ago it decided to maintain an entirely separate web presence to demonstrate total independence.
According to Martin, speaking on the BBC’s Today programme on Tuesday, it was this decision that made it vulnerable to outside interference.
“It seems to me like the decision to maintain an entirely separate web presence was a false choice. No one will particularly care about the exact domain address of the OBR’s website, and the consequences of that decision is that a body that was charged with secure publishing of major documents of national significance has the capabilities of a small to medium-sized business instead of the capabilities of a major government department.”
Ciaran Martin
Was budget doc access a well-known secret?
A concerning detail of the report is that these configuration errors allowed non-government personnel – which could range from journalists to city traders — to view market-sensitive information prior to the publication of the government’s economic forecasts.
The report notes that early access to documents may have also happened in March, or at any other time in the website’s 10-year history.
It goes on to say that a more detailed forensic audit would need to be undertaken to uncover exactly how widespread or well-known the misconfiguration was and who was able to exploit it.
Between 05:16 a.m. GMT on the day of the budget (November 26th) and its eventual leak at 11:35 a.m., the report notes that “a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.”
After it went live, between 11:35 a.m. and 12:07 p.m., 43 requests for the URL were received from 32 different IP addresses.
As the report notes:
“For those 38 minutes, access to the EFO was possible for anyone who could guess the URL of the publication and type it into the address bar of a web browser.”
After that, the PDF file was removed, but it had already been indexed by the Internet Archive.
The report also indicates that people may have accessed the March economic forecast early, too, as logs show that one IP address successfully accessed the document at 12:38 p.m., five minutes after the Chancellor had started speaking and nearly half an hour before publication.
OBR not alone in naming error blunder
While paying a cyber expert to basically recommend that documents aren’t uploaded until they’re ready to be published may sound like the stuff of political satire, the OBR can take some comfort in the fact that the same thing has happened at other high-profile organizations.
Two years ago, a batch of confidential Xbox and cloud roadmaps spilled after unredacted PDFs were uploaded to a public court site and left accessible on the server.
And only this spring, US federal staff shared a Google Drive folder containing White House floor plans and vendor banking details with more than 11,000 employees due to a single misconfigured link.
Unlock exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked