Scandal-hit OBR faced nearly 240,000 cyber attacks this year amid website failure that leaked Budget

The Office for Budget Responsibility (OBR) has been targeted by almost a quarter of a million cyber attacks over the past year, a dramatic surge that comes just weeks after the fiscal watchdog accidentally leaked the Chancellor’s Budget online.

Freedom of Information data obtained by the Parliament Street think tank shows the OBR faced 238,678 hostile incidents in the past 12 months, including spam, malware, and phishing attempts. The figure represents a 162% increase on the previous year’s 90,958 attacks. Officials say all attacks were successfully blocked.

The revelations add to mounting scrutiny of the organisation following the resignation of chair Richard Hughes, who stepped down after the OBR’s flagship Economic and Fiscal Outlook (EFO) appeared online around 40 minutes before Rachel Reeves delivered her Budget.

A formal investigation led by Ciaran Martin, the former head of the National Cyber Security Centre, found the leak was the result of human error rather than a hostile cyber breach.

Martin’s report identified a “misunderstanding” of a WordPress plugin — Download Monitor — combined with a failure to configure the OBR’s server to block direct file access. The oversight allowed external users, including journalists, to locate and download the document simply by amending a URL.

The report noted that WordPress “can be onerous to configure” and that mistakes of this kind are “easily made”, but the consequences in this case were profound, triggering political chaos and rattling financial markets.

Cyber security specialists say the scale of attempted attacks on the OBR underscores the vulnerability of public sector bodies and the need for much tighter digital controls.

Graeme Stewart, head of public sector at Check Point, said: “These figures underline the growing volume of increasingly sophisticated cyber attacks directed at government organisations.

The accidental publication of market-sensitive documents should serve as a wake-up call about the risks associated with sloppy website management and weak security protocols.”

He added that failures of this kind “increase stress on already stretched systems” and that stronger processes and defences must be put in place “immediately”.

Kenny MacAulay, CEO of accounting software platform Acting Office, warned that the stakes extend far beyond a single department: “Data leaks can cause major issues for public sector bodies. Secure, well-managed publication systems are essential.

The consequences could be catastrophic — not only for the department involved but for the wider UK economy.”

The watchdog, whose forecasts underpin every Budget, is now racing to tighten its security and rebuild trust after one of the most damaging incidents in its 14-year history. With nearly a quarter of a million cyber attempts recorded in a single year — and public scrutiny sharper than ever — the OBR faces strong pressure to demonstrate that its systems, processes and governance are fit for purpose ahead of the next fiscal event.

Read more:
Scandal-hit OBR faced nearly 240,000 cyber attacks this year amid website failure that leaked Budget