> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication
process was essentially technically unchanged from EFOs in the recent past. This gives rise
to the question as to whether the problem was a pre-existing one that had gone unnoticed.
> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
This setup was not initially approved, see 1.7 in the document:
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside
the gov.uk network. This is the result of an exemption granted by the Cabinet Office in
2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR
should be granted an exemption from gov.uk in order to meet the requirements of the
Budget Responsibility and National Audit Act. The case for exemption that the OBR made at
the time centred on the need for both real and perceived independence from the Treasury in
the production and delivery of forecasts and other analysis, in particular in relation to the
need to publish information at the right time.
Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Since at least Drupal 7, the core CMS has included the concept of “private files.” The files are stored in a directory that is not served publicly by the web server. Instead the CMS generates a proxy URL for each file, which is handled by the CMS like a page URL before serving the file by streaming it through PHP. So: it’s a heavier load on the server, but you get full permission management by the CMS.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
I don't think that's a worthwhile distinction. All software bugs are human errors, since the machine is correctly following the human programmer's incorrect instructions; whether that's at the level of assembly instructing the CPU; or a higher level like Wordpress instructing the PHP interpreter; or an even higher level of a document hosting solution instructing Wordpress.
A well designed system would reduce the risk of human error.
Given the importance of keeping this information confidential, they really ought to have a custom system for releasing it, not just configuring a third party Wordpress plugin.
Yes, it’s getting quite ridiculous now. Labour, for sure, have not done themselves any favours in their first 18 months in charge, but the level of attack and vitriol is exceptional and beyond any reasonable level.
The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces? If you're below the age of about 55, then the budget did absolutely nothing for you except put taxes up, and not even to improve services.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
They have done a lot of sensible, boring things that are objectively positive but are going largely going unnoticed (plus of course a few massive footguns that make the headlines).
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
I largely agree, expect I think my expectations were lower than yours to start with. The ruling class all think alike regardless of party.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
The public do not see or agree that they have done well in any areas, hence their appallingly low popularity. And that was before this budget announcement.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
> The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces?
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
This is politics so attacks will always follow blunders on either side.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
They were elected with 33% of the vote thanks to our FPTP system, the lowest in history. They were unpopular when they were elected and have done nothing to change that.
> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
It's still a failure in principle. The effects of this particular instance of the failure were minimal but it was still an accidental leak of (at the time) private information. They just got lucky.
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
Yes, I have had the corporate training on leaks and insider trading, too...
Trading on public information is fit and proper.
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
I agree. They didn’t intend to publish it, but they did publish it. They might not have advertised its presence yet, but it was freely available to anyone who asked.
If by 'much of the info' you mean policy changes, those are deliberately leaked by the politicians, not civil servants or their family members. They do this to test reactions and frame the debate.
This doesn't seem to have much to do with Wordpress or its plugin ecosystem but rather an oversight since the behavior itself isn't necessarily a bug. I think the "well yeah, why would you use Wordpress?" comments kinda miss that.
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one
It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?
"On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data."
Using WordPress plugins (with the exception of a limited sub-set) is like chewing gum you find on the sidewalk.
This is a reasonable question. I mean yeah it’s supposed to be made public anyway, but evidently there is a non-trivial amount of interest invested in its contents by people who don’t usually qualify when we think of “the public”. Otherwise what would be the big deal?
My guess is that the team responsible for this didn’t anticipate or at worst were not informed of its value to particular groups of people, at least not to a degree that would’ve warranted extra security measures.
In huge org's, doing computer-related stuff the "right" way often involves so many meetings, sign-offs, and miles of red tape that your grandchildren would die of old age before anything actually got done.
Vs. if you just let Will and Pete do it in WordPress (or on Facebook, or such) then needed tasks might actually be accomplished.
Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).
Edit: Or (and more likely) cached/copies of the original.
They didn’t suffer a breach; they published a market-moving PDF early because they put it on a public WordPress server at a predictable URL with no access control, then acted shocked when someone typed it into a browser. The report dresses this up in solemn language about “pre-publication facilities” and “configuration errors”, but the reality is negligent basics: no authentication, no server-level blocking, blind faith in a plugin they didn’t understand, and not one person running the obvious test of guessing the URL before go-live. Their claim of “independence” just meant running the most sensitive part of their job on an underpowered, misconfigured website while assuming everything else would magically hold together. This wasn’t a cyber incident. It was institutional incompetence wearing a suit.
So is the significance of this news based on what could have leaked if the document was not intended for the public? [1]
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
Interestingly, the public discourse in the UK (at least what I have observed, and it was hard not to observe a lot in the last several days) does not focus much (if at all) on the insider trading angle. It's mostly that the chancellor has this important duty to first announce the new budget beofre the Parliament, and if this course of events gets distorted this is very bad for the proper procedure. Now, the sole purpose of OBR is to ensure the proper procedure, so very silly (or "damning") of them to make such a mistake.
At the same time, almost every piece of legislation in recent years has been relentlessly leaked and taken apart way before the official announcement in parliament, so this is a wee bit ridiculous.
It’s just about incompetence really. The budget is meant to be highly secret. And they accidentally published their report early. Which would let some people benefit from in financially, but it’s also just very embarrassing for a government. Sometimes budgets contain info that is more valuable than this.
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.
> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.
TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.
Kudos to these volunteers, but as long as one single company continues to insist on owning all the resources of the plugin and theme directories, I don't think they deserve to continue profiting from volunteer labor.
> WordPress is a nice piece of software, but the plugin situation is getting worse and worse
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)
To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
They didn't assume nobody would guess the URL.
They did take active steps to ensure the data was only available at the correct time.
But they didn't check that their access control was working, and it wasn't.
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
I think most of the tech world heard about the Nobel Peace Prize award so it doesn't seem that suspicious to me that somebody would just poll urls.
Especially since before the peace prize there have been issues with people polling US economic data.
My point is strictly, knowledge that they should poll a url is not evidence of insider activity.
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
To me it really doesn't make any sense to have that kind of giant hole in your permissions system from the start.
I found this one https://wordpress.org/plugins/prevent-direct-access/
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
It's not a technical error at all!
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
The problem was the staff. It's a human error.
Given the importance of keeping this information confidential, they really ought to have a custom system for releasing it, not just configuring a third party Wordpress plugin.
It makes me wonder what exactly is driving this.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
I realise “it’s the economy, stupid”, but still it feels like outsized outrage.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
the effects are not minimal
if you're crooked: getting this sort of information early is potentially extremely lucrative
(why crooked? because trading on UPSI is illegal)
the regulations specifically go into great detail about official publications and formal circulation
would a reasonable person consider this a leak? then it's UPSI
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
I have had regulatory training on this exact matter, and it covers unintended leaks explicitly
and there is no way I would trade
> The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
no, it isn't the point
the regulator cares that participants are seen to be clean, practicing "fit and proper" behaviour
if a reasonable person would think it was dodgy, they'll have your head (and your certification to practice)
regardless of whether or not it was illegal
Trading on public information is fit and proper.
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one
We don't actually know that, it's just that the report did hit Reuters pretty swiftly.
Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?
The problem was essentially that, through a misconfiguration, they published it early.
Using WordPress plugins (with the exception of a limited sub-set) is like chewing gum you find on the sidewalk.
A technical oversight fail at multiple levels.
My guess is that the team responsible for this didn’t anticipate or at worst were not informed of its value to particular groups of people, at least not to a degree that would’ve warranted extra security measures.
Vs. if you just let Will and Pete do it in WordPress (or on Facebook, or such) then needed tasks might actually be accomplished.
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.
Edit: Or (and more likely) cached/copies of the original.
[1] https://www.bbc.co.uk/news/live/cly147rky81t
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
At the same time, almost every piece of legislation in recent years has been relentlessly leaked and taken apart way before the official announcement in parliament, so this is a wee bit ridiculous.
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)
Even if that is the case, the backend must validate.