Phil Kohler 🔶
@leamingtonphil.bsky.social
Proud to be Lib Dem councillor for Leamington Lillington. Still furious about the stupidity called Brexit.
I don’t know the skillset of the CoS or their deputy, for example, but “Strategy, operations and Communications (5 people)” is tiddly.
December 1, 2025 at 7:37 PM
I don’t know the skillset of the CoS or their deputy, for example, but “Strategy, operations and Communications (5 people)” is tiddly.
When the file in question has the potential to move financial markets, you really should be absolutely sure that no one can access it early.
December 1, 2025 at 7:31 PM
When the file in question has the potential to move financial markets, you really should be absolutely sure that no one can access it early.
Given how small an organisation the OBR is, that is a very fair point.
I’d also love to know whether the website featured on their risk register. And whether they had ever asked for more budget to upgrade it, etc.
I’d also love to know whether the website featured on their risk register. And whether they had ever asked for more budget to upgrade it, etc.
December 1, 2025 at 7:04 PM
Given how small an organisation the OBR is, that is a very fair point.
I’d also love to know whether the website featured on their risk register. And whether they had ever asked for more budget to upgrade it, etc.
I’d also love to know whether the website featured on their risk register. And whether they had ever asked for more budget to upgrade it, etc.
True - but it seems that doesn’t cover their website - see paragraph 1.7.
December 1, 2025 at 6:05 PM
True - but it seems that doesn’t cover their website - see paragraph 1.7.
Surely there is a moral here that anyone who becomes the boss of pretty much any organisation these days (let alone one handling very sensitive information) must make sure that their IT will stand up to scrutiny. Assurance rather than micromanagement.
December 1, 2025 at 5:55 PM
Surely there is a moral here that anyone who becomes the boss of pretty much any organisation these days (let alone one handling very sensitive information) must make sure that their IT will stand up to scrutiny. Assurance rather than micromanagement.
I’ve a horrible feeling the OBR didn’t have an IS policy at all…
December 1, 2025 at 5:49 PM
I’ve a horrible feeling the OBR didn’t have an IS policy at all…
Apologies - i overdid the snark.
But the report show a horrifying lack of awareness of the risks that the OBR were living with.
I tried to summarise some of them:
bsky.app/profile/leam...
But the report show a horrifying lack of awareness of the risks that the OBR were living with.
I tried to summarise some of them:
bsky.app/profile/leam...
Well this is fascinating in a car-crash, keep-you-awake-at-night and give-you-nightmares-for-weeks-afterwards kind of way.
December 1, 2025 at 5:48 PM
Apologies - i overdid the snark.
But the report show a horrifying lack of awareness of the risks that the OBR were living with.
I tried to summarise some of them:
bsky.app/profile/leam...
But the report show a horrifying lack of awareness of the risks that the OBR were living with.
I tried to summarise some of them:
bsky.app/profile/leam...
Or to put it another way, if the leader of an organisation doesn’t understand the environment that it operates in, they should not be leading that organisation.
December 1, 2025 at 5:33 PM
Or to put it another way, if the leader of an organisation doesn’t understand the environment that it operates in, they should not be leading that organisation.
The report portrays an organisation uninterested in the risks it was taking. I don’t see how he could do anything else except resign.
December 1, 2025 at 5:31 PM
The report portrays an organisation uninterested in the risks it was taking. I don’t see how he could do anything else except resign.
The report portrays an organisation uninterested in the risks it was taking. I don’t see how he could do anything else except resign.
December 1, 2025 at 5:10 PM
The report portrays an organisation uninterested in the risks it was taking. I don’t see how he could do anything else except resign.
Except the report showed that he led an organisation that wasn’t interested in the risks it was taking. Amazing (and ironic?) that he waited for the report to be published.
December 1, 2025 at 4:45 PM
Except the report showed that he led an organisation that wasn’t interested in the risks it was taking. Amazing (and ironic?) that he waited for the report to be published.
The report shows an organisation uninterested in the risks it was taking. I don’t see how the leader of such an organisation could survive it being exposed in such a humiliating way.
December 1, 2025 at 4:42 PM
The report shows an organisation uninterested in the risks it was taking. I don’t see how the leader of such an organisation could survive it being exposed in such a humiliating way.
I think his problem is that the report into the “publication error” implies an organisation disinterested in the risks it was taking. And surely that is the fault of whoever is at the top?
December 1, 2025 at 4:12 PM
I think his problem is that the report into the “publication error” implies an organisation disinterested in the risks it was taking. And surely that is the fault of whoever is at the top?
Obviously journalists were among those looking for it (and congratulations must go to Reuters for exposing it), but there is nothing to suggest that they were the only one hoping to hit the jackpot.
December 1, 2025 at 4:02 PM
Obviously journalists were among those looking for it (and congratulations must go to Reuters for exposing it), but there is nothing to suggest that they were the only one hoping to hit the jackpot.
It just leaps out at you - this single sentence encapsulates everything that went wrong, and implicates the leadership as being disinterested in the risks they were taking.
December 1, 2025 at 3:59 PM
It just leaps out at you - this single sentence encapsulates everything that went wrong, and implicates the leadership as being disinterested in the risks they were taking.
Very happy to save them the time and money of doing that review - no it isn’t.
December 1, 2025 at 3:55 PM
Very happy to save them the time and money of doing that review - no it isn’t.
How to encapsulate the total ineptitude of an organisation in a single quote.
December 1, 2025 at 3:51 PM
How to encapsulate the total ineptitude of an organisation in a single quote.
Totally agree. It would be interesting to know if they were happy with their systems or if budget requests to do it properly had been turned down.
December 1, 2025 at 3:49 PM
Totally agree. It would be interesting to know if they were happy with their systems or if budget requests to do it properly had been turned down.
Anyway, the report gives a fascination insight into a Government body gone rogue - and getting caught.
obr.uk/docs/dlm_upl...
obr.uk/docs/dlm_upl...
obr.uk
December 1, 2025 at 3:42 PM
Anyway, the report gives a fascination insight into a Government body gone rogue - and getting caught.
obr.uk/docs/dlm_upl...
obr.uk/docs/dlm_upl...
I would have expected a small batch of policies, first amongst equals being “Information Security Policy”.
I suppose they might be there, but if so, surely the report would have established if they were being followed?
I suppose they might be there, but if so, surely the report would have established if they were being followed?
December 1, 2025 at 3:42 PM
I would have expected a small batch of policies, first amongst equals being “Information Security Policy”.
I suppose they might be there, but if so, surely the report would have established if they were being followed?
I suppose they might be there, but if so, surely the report would have established if they were being followed?
And the bad?
There is no mention of the word “policy” in the report. It seems the OBR had opted out of some of the Government’s IT environment, but there is no mention of what controls it had put around its own infrastructure.
There is no mention of the word “policy” in the report. It seems the OBR had opted out of some of the Government’s IT environment, but there is no mention of what controls it had put around its own infrastructure.
December 1, 2025 at 3:39 PM
And the bad?
There is no mention of the word “policy” in the report. It seems the OBR had opted out of some of the Government’s IT environment, but there is no mention of what controls it had put around its own infrastructure.
There is no mention of the word “policy” in the report. It seems the OBR had opted out of some of the Government’s IT environment, but there is no mention of what controls it had put around its own infrastructure.
Two other thoughts - one good, one bad.
First the good. Paragraph 2.12 shows that they have thought to look back at a previous event - and it looks like they may have been lucky. This “vulnerability” could have been known about and exploited for years, but it seems probable that it is more recent.
First the good. Paragraph 2.12 shows that they have thought to look back at a previous event - and it looks like they may have been lucky. This “vulnerability” could have been known about and exploited for years, but it seems probable that it is more recent.
December 1, 2025 at 3:33 PM
Two other thoughts - one good, one bad.
First the good. Paragraph 2.12 shows that they have thought to look back at a previous event - and it looks like they may have been lucky. This “vulnerability” could have been known about and exploited for years, but it seems probable that it is more recent.
First the good. Paragraph 2.12 shows that they have thought to look back at a previous event - and it looks like they may have been lucky. This “vulnerability” could have been known about and exploited for years, but it seems probable that it is more recent.
But the “which was understood by all involved to be not publicly accessible” is just chef’s kiss level of awful.
It implies that no one at the organisation understood the software that constituted the public face of the organisation. And either no one had asked or had had approval to find out.
It implies that no one at the organisation understood the software that constituted the public face of the organisation. And either no one had asked or had had approval to find out.
December 1, 2025 at 3:27 PM
But the “which was understood by all involved to be not publicly accessible” is just chef’s kiss level of awful.
It implies that no one at the organisation understood the software that constituted the public face of the organisation. And either no one had asked or had had approval to find out.
It implies that no one at the organisation understood the software that constituted the public face of the organisation. And either no one had asked or had had approval to find out.