The OBR could have been accidentally leaking Budget documents for years, according to a shocking report today.
The possibility was raised by a probe into the extraordinary episode that saw Rachel Reeves‘ package published 45 minutes before she started speaking last week.
It blames a technical glitch making the URL unexpectedly accessible rather than hacking, suggesting it was not simply that officials inadvertently put the material online too early.
However, the assessment notes that the same issue has existed previously – and uncovered evidence that the documents might also have been accessed prematurely during the last Budget.
That opens questions about whether people could have been able to profit from early knowledge of what was in the announcements.
One unique IP address made 32 attempts to get the document from the web address before it went live, indicating that the user was anticipating the mistake.
It was then downloaded 43 times between 11.41am and 12.07pm, when scrambling staff finally managed to take it offline.
Following the publication of the report, OBR chief Richard Hughes announced he was resigning to allow the OBR to ‘quickly move on from this regrettable incident’.
Treasury minister James Murray told MPs this afternoon there had been ‘systemic’ failure, pointing to the conclusions that management should have been reviewing safeguards – and ‘market sensitive information’ had been released.
Baroness Sarah Hogg and Dame Susan Rice – non-executive directors of the OBR – said in a foreword that it was the ‘worst failure’ in the organisation’s 15-year history.
‘It was seriously disruptive to the Chancellor, who had every right to expect that the EFO would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.
‘The Chair of the OBR, Richard Hughes, has rightly expressed his profound apologies.’
The two non-executive directors added: ‘The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR.’
The Chancellor has offered only lukewarm support for Richard Hughes amid Treasury anger at the Budget leak and revelations about when she was told there was no hole in the public finances
The OBR could have been accidentally leaking Budget documents for years, according to a shocking report today
Keir Starmer used a press conference to jibe at the ‘significant error’ over the Budget leak and question the judgment of the independent body
Kemi Badenoch insisted the Chancellor must not sack the OBR chief
Sir Keir again kept referring to the OBR’s £16billion productivity downgrade this morning – but as this chart shows the full economic forecast actually left Ms Reeves with £16billion more to play with than in March
The report said: ‘There is, in the view of our expert technical adviser Professor Ciaran Martin, nothing to suggest that the failure to protect the Economic and fiscal outlook (EFO) from premature access during a pre-publication period of 38 minutes on 26 November was the result of hostile cyber activity by foreign actors or cyber criminals, or of connivance by anyone working for the OBR.
‘Nor was it simply a matter of pressing the publication button on a locally managed website too early.
‘The cause, which appears to have been pre-existing, was, in essence, configuration errors which reflected systemic issues.
‘These led to a failure to ensure the protections which hide documents from public view immediately before publication were in place.’
The report said the OBR wrongly assumed that ‘the protections provided’ by WordPress would ensure sites could not be accessed, even though the addresses were easily guessable.
It also said the Download Monitor plug-in for WordPress, which bypassed the need for authentication, was ‘not understood’ within the OBR and should not have been used.
The report added: ‘In short, the technical causes of the premature access were two mutually contributory configuration errors, one in the configuration and use of Download Monitor, a third-party WordPress plug-in, and one in the configuration of WordPress and the underlying server.’
The report – conducted with assistance from national cyber security boss Professor Martin – said it had ‘become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past’.
‘This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed,’ the assessment said.
‘In the short time available, we have only analysed the traffic for the March 2025 EFO.
‘The correct time of publication would have been 13:06, when the Chancellor finished speaking.
‘Public records indicate that that is when it appeared on the OBR’s website in the normal, generally accessible way.
‘However, the logs show that one IP address successfully accessed the document at 12:38, five minutes after the Chancellor had started speaking and nearly half an hour before publication.
‘It is not known what, if any, action was taken as a result of this access and there is no evidence at this stage of any nefarious activity arising from it.’
Mr Murray told the Commons: ‘That market sensitive information have been prematurely accessible to a small group of market participants is extremely concerning.
‘That it might have been the case on more than one occasion is even more severe. We do not know at this stage the extent to which market behaviour may have been affected on this or other occasions as a result of information being available early.
‘But I do want to share one further bit of information from the report with the House today – on the morning of the Budget, the first IP address to successfully access the EFO had made 32 prior attempts that day, starting at around 5am.
‘Such a volume of requests implies that the person attempting to access the document had every confidence that persistence would lead to success at some point, and this unfortunately leads us to consider whether the reason they tried so persistently to access the EFO is because they have been successful at a previous fiscal event.’
The PM used a press conference on Monday morning to jibe at the ‘significant error’ over the Budget leak and question the judgment of the independent body.
Tensions have also been raging over the OBR revealing explosive details of when it told Ms Reeves there was no hole in the public finances.
That has fuelled widespread fury that she lied by talking up problems in the run-up, to soften up Britons for huge tax hikes.
Sir Keir said earlier today: ‘I’m not going to suggest that what happened last week, which was the entire Budget being published before the Chancellor got to her feet, was not anything other than a serious error.
‘This was market sensitive information. It was a massive discourtesy to parliament. It’s a serious error, there’s an investigation that’s going on.
‘But as for the OBR itself, I’m very supportive of the OBR for the reasons I’ve set out – vital for stability, vital and integral to our fiscal rules, which I’ve said a number of times are ironclad.’
Sir Keir also vented frustration at the OBR’s decision to do a long-term productivity review now – although the impact was more than offset by other forecasting changes.
‘Well, I’m not angry at the productivity review,’ the premier said.
‘It’s a good thing that reviews like that have done from time to time. I’m bemused.
‘Myself, I feel that doing at the end of last government and before we started might have been a good point to do a productivity review so we could know exactly what we were confronted with.
‘Doing it 15, 16, months into a government, it had to be done sometime, but picking up the tab for the last government’s failure – it’s been the nature of the beast, frankly, for the last 16 months, but it was given a special emphasis in that exercise.
‘I’m not angry, I’m just bemused as to why it wasn’t done at the end of the government rather than done now, but I’m not saying that these reviews aren’t important et cetera.’
Ms Reeves was left wriggling in interviews yesterday as she was confronted with details of how she talked up the problems in the government’s books, even after the OBR had advised her they were in fact forecasting a small surplus.
The timetable was spelled out in a letter from the independent body to MPs, published on Friday.
That drew a rare public rebuke from the Treasury, which said it had been assured such information would not ‘usually’ be made public in future.
Asked about the fate of the OBR chief yesterday, Ms Reeves said: ‘Look, there is no one who is a bigger supporter of the office for Budget Responsibility than me.
‘I reappointed Richard Hughes in the summer to strengthen the powers of the OBR…
‘It was clearly serious. It was clearly a serious breach of protocol.’
After the OBR letter was published on Friday, a Treasury spokesman said: ‘We are not going to get into the OBR’s processes or speculate on how that relates to the internal decision making in the build up to a Budget but the Chancellor made her choices to cut the cost of living, cut hospital waiting lists and double headroom to cut the cost of our debt.
‘We take Budget security extremely seriously and believe it’s important to preserve a private space for Treasury–OBR policy and forecast discussions, so we welcome the OBR’s confirmation that this will not become usual practice.’
Ms Reeves was left wriggling in interviews yesterday as she was confronted with details of how she talked up the problems in the government’s books, even after the OBR had advised her they were in fact forecasting a small surplus
