The OBR's Website Problem Was Always Going to Happen

I was in the room — or close enough — when the Office for Budget Responsibility was asked to move its publishing to GOV.UK. The conversation was clear: a small organisation, running market-sensitive economic data, should probably be on the government’s own hardened publishing platform rather than a self-managed WordPress site.

They declined. The team at the time accepted the risk.

Fair enough

The early OBR leadership made it through their tenure without incident. The risk they accepted didn’t materialise. Organisations accept technical risks all the time and often they don’t come due.

But in November 2025, the morning of the Budget, their WordPress site made the Economic and Fiscal Outlook available thirty-odd minutes early. It was accessed 43 times before anyone noticed. The OBR’s own enquiry described it as a download monitor plugin that bypassed authentication — combined with the absence of passwords and randomised URLs that any normal web publisher would consider baseline hygiene.

Their CEO, Richard Hughes resigned. Thirteen years after the original call was made, a different person paid the price.

This is a subscale tech problem.

The OBR is a small organisation. Small organisations often have small IT functions — people who manage systems rather than engineer them. That’s fine for most small organisations.

The OBR is not most small organisations. Twice a year, its publication events are among the most market-sensitive moments in the UK economic calendar. The technical requirements for safe publication are — or should be — held to a completely different standard than a standard organisational website.

That mismatch — subscale tech management for the importance of the tech — is the real failure here. Not the plugin. Not the config error. Those are symptoms.

The inquiry figured it out eventually.

One of the key recommendations: move the OBR’s website into government digital architecture. Which is exactly what was suggested thirteen years ago.

The risk that was accepted didn’t go away. It lurked.