A story related to the recent woes at the Office for Budget Responsibility.
Ten years ago – on 9 December 2015 – the winners of the new Northern and TransPennine Express franchises were announced. I know, because I did a lot of the comms work on this, especially all of the behind-the-scenes stuff no-one notices, such as taking the DfT’s notes and dividing them into Rail North’s 11 director areas, or setting up the call centre, writing various briefing notes and drafting statements for releases.
And, the web site.
Because of the time (and cost) requirements of building something attached to our own content management system, I’d thrown something together in WordPress.
The evening before the announcement (8pm) I uploaded things to the website. Then I came in the next morning (7.30am), waiting for the Stock Exchange announcement and then hit Publish (and do lots of other things).
You would never have been able to guess what the names of the assets were. I can’t, and I uploaded them. They might have started with the date in reverse order (2015-12-09), as is my habit, but that’s as far as I get.
Meanwhile, the OBR has suffered a loss of leadership and a drop in reputation… because a file name was easy to guess. And yet, they didn’t do anything different to what I did.
I did have a giggle when the news broke that they’d brought in a cyber expert to find out what went wrong… human error in making a file name guessable. That’s all.
You can’t – and I’ve checked with my own sites – get a file listing of all the documents in a folder with WordPress; it comes back with a 404 page. You literally have to know the file name, or make it guessable. I suspect that in the future they will, at least, add a random string of numbers and letters to the front of the file name.
I wonder what their passwords are like…