A market-moving blunder by the UK’s fiscal watchdog - which exposed details of the Chancellor’s budget early – has been blamed on a misconfigured Wordpress plugin and poor underlying server controls.
The Office for Budget Responsibility (OBR) inadvertently exposed its response to the budget early on Wednesday November 26 – triggering frantic trading activity, and, today leading to the OBR chair’s resignation.
The data disclosure was the “worst failure in the 15-year history” of the UK’s fiscal watchdog, an incident report found. The Treasury’s CIO Huw Stevens, and former NCSC boss Ciaran Martin were asked to investigate.
Their report landed today.
OBR budget leak blamed on Wordpress
In short, the OBR runs its own Wordpress-based site. Its Economic and Fiscal Outlook (EFO), building on data disclosed to it prior to the Chancellor announcing budget details publicly, is uploaded to this using a plugin.
"WordPress has a commonly used feature for handling scheduled publications to keep what it calls ‘future’ content hidden. It works off authentication, rather than the obfuscation of the URL," noted Martin.
But the OBR’s team uploaded the report prior to publication using the Download Monitor plug-in, which created a URL that followed a consistent, easily guessable pattern based on previous years' files. Despite this ostensibly being in 'future'/drafts, misconfiguration allowed external users to predict the link and access the document before it was “live", the report found.
As Ciaran Martin wrote: “[The plugin] provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document."
Panicked OBR staff and their web developer later “attempted to pull the PDF from the website, and also to pull the entire website (e.g. via password protection), but struggled to do so initially due to the website being overloaded with traffic,” the report found – noting that a similar incident may have occurred in May 2025 and possibly earlier, but gone unreported.
A senior economist at a top broker in London earlier told Reuters that he was in "a state of shock" when reading headlines about the inadvertent disclosure, which immediately pushed UK government bond prices higher.
The OBR’s publication plans, “were fragile in relation to the magnitude of the task, reflecting the OBR’s size and budget… those involved were working on the basis that the underlying technology used by the OBR ensured that pre-publication uploads were not generally accessible. The assumption was that even though the URL could be guessed because it followed a clear pattern from previous EFOs, the protections provided on WordPress would ensure it could not be accessed,” the report found.
Given indications of potential similar, unreported, pre-budget EFO access, “a fuller forensic digital audit of recent EFO publications is undertaken to probe this further [is needed],” today’s report suggested. “It would be prudent to examine the logs for the two previous EFO publications from 2024…”
The link has been copied!
