London, December 01, 2025
The UK’s Office for Budget Responsibility (OBR) experienced a significant security breach in November 2025 that led to the premature leak of its November Economic and Fiscal Outlook (EFO) document. The breach was caused by inadequate security measures in the OBR’s online publication system, allowing unauthorized access before the official release.
Details of the Breach
The confidential November 2025 Budget analysis was exposed through a security vulnerability that enabled anyone with knowledge of a predictable internet address to directly access the document. This weakness resulted from security protocols that were either improperly applied or malfunctioning. Unauthorized users exploited this gap without executing a hostile cyberattack or internal misconduct.
Initial unauthorized access occurred at 11:35 AM from an IP address that had previously attempted to access the document multiple times that day. Officials at the OBR and Treasury discovered the breach at 11:52 AM and immediately coordinated a response. Despite efforts to remove the file and enable password protection at 11:53 AM, website traffic overload momentarily hindered the containment. Ultimately, the document was accessed 43 times by 32 distinct IP addresses during the exposure window.
Investigation and Findings
External cyber security expert Professor Martin was engaged to investigate the incident. His findings confirmed that the breach was isolated to the online publication platform’s vulnerabilities. There was no evidence of systemic IT security failures across the OBR network, nor indications of a malicious intrusion or insider threat.
Enhanced security measures deployed after the OBR’s full integration into the Treasury’s IT systems in December 2023 have effectively safeguarded sensitive communications between the two bodies during the critical pre-Budget period. However, longstanding weaknesses within the online publishing system had not been adequately rectified prior to the incident.
Context and Background
The OBR integrated its IT infrastructure with the Treasury’s in late 2023, implementing stronger security controls for shared operations. This integration aimed to enhance data protection policies and safeguard fiscal sensitivities. Despite these improvements, the document leak revealed lapses in securing publicly accessible web resources, highlighting a gap in the overall information security strategy.
Looking Forward
The OBR is undertaking corrective measures to strengthen security protections around all online publications and prevent recurrence of such premature disclosures. The ongoing investigation seeks to fully understand the underlying causes and implement robust safeguards. Given the sensitive nature of fiscal forecasts, the breach underlines the crucial importance of rigorous cybersecurity oversight in government institutions.
This incident serves as a cautionary example for public entities worldwide, emphasizing the imperative of continuous assessment and enhancement of digital defenses to protect confidential information integral to economic and policy decision-making.