Cyber Brief: OBR leak probe, London councils attack and Scottish audit

Today brings a high-profile UK leak review, continuing disruption across London local government and a reminder from Scotland that recovery from major incidents takes sustained effort. Each item underscores leadership accountability, resilience in public services and lessons that translate to every sector.

OBR investigates pre-Budget leak and commissions independent cyber review

The Office for Budget Responsibility is examining how elements of its Economic and Fiscal Outlook were accessed externally ahead of the Budget announcement. An independent cyber review has been commissioned to assess controls around pre-release materials and recommend improvements. Early reporting suggests process and access control weaknesses rather than a sophisticated intrusion, but the reputational impact is material.
For organisations handling market-sensitive or embargoed content, the lesson is clear. Treat draft material like production data, with strict least-privilege access, environment segregation and immutable logging. Any pre-release workflow should include a named approvals chain, short-lived access tokens and explicit audit of every touchpoint where files are stored or shared. Simulated dry-runs before publication help identify weak spots, while rapid incident playbooks can contain damage if details surface prematurely.

Why it matters
Information handling is a board-level risk. Missteps can move markets, undermine stakeholder trust and trigger regulatory scrutiny. Strengthen change control around sensitive publications and verify that access trails are complete and reviewable.

Source
UK national media coverage

Multiple London councils activate emergency plans after cyber attacks

Several London boroughs have reported cyber incidents affecting shared IT services and citizen-facing systems. Emergency protocols were enacted while national agencies support investigation and recovery. As a precaution, some online services and telephony were restricted to protect data and prioritise essential operations.
Shared platforms offer efficiency, but they also concentrate risk if tenant isolation or supplier assurance is inconsistent. Incidents in complex public-sector environments require multi-agency coordination, which can slow response and complicate communications. The present disruption again highlights legacy constraints and resourcing pressure in local government, alongside the need for clear public updates that balance transparency with operational security.

Why it matters
Where services or platforms are shared, validate technical segregation, independent logging and coordinated cross-borough playbooks. Pre-agree fallback processes for revenue collection, casework and vulnerable resident support so essential services continue while containment work proceeds.

Source
Computer Weekly and other UK trade press

Audit highlights persistent resilience gaps after Scottish council ransomware

A new audit update on a Scottish local authority that suffered ransomware in 2023 finds recovery still in progress, with pressure on staff and ongoing gaps in resilience. The report notes improvements but stresses sustained investment in backup architecture, identity controls and incident rehearsal. Two years on, the authority continues to rebuild and harden critical systems while maintaining day-to-day services.
The findings mirror a pattern across the public sector and beyond. The most painful lessons relate to backup integrity, privileged access hygiene and supplier coordination. Organisations that conduct regular offline restore tests, enforce strong authentication for administrators and keep supplier response playbooks current tend to reduce both downtime and the long tail of recovery costs. Clear executive ownership of recovery priorities also accelerates decision-making during prolonged incidents.

Why it matters
Measure resilience by how quickly priority services can be safely restored, not only by prevention metrics. Test restores, tighten privileged access and ensure suppliers can meet your recovery objectives.

Source
UK audit and technology press

Today’s Key Actions

1. Lock down pre-release materials with least-privilege, segregated environments and immutable logging.
2. For shared platforms, verify tenant isolation, independent logging and coordinated response choreography.
3. Rehearse offline restores of top business services and validate privileged access boundaries.
4. Prepare citizen or customer comms templates for rapid, clear updates during incidents.
5. Refresh executive risk reporting to cover information handling, shared-service dependencies and recovery readiness.

Secarma Insight

Incidents like these show that cyber risk is as much about how we operate as what attackers do. Strong governance for sensitive information, disciplined shared-service assurance and realistic recovery drills are the difference between a headline and a footnote. If you want a quick readiness check or a supplier uplift plan, we can help you prioritise and move fast.

Get in touch with us to prioritise your next steps and strengthen your security posture.