Archie Mitchell,Business reporterand
Faisal Islam,Economics editor
Getty ImagesThe Office for Budget Responsibility (OBR) has said the early publication of a key Budget document was the worst failure in its 15-year history but it was inadvertent.
The UK’s official forecaster confirmed the market-sensitive report was accessed 43 times from 32 different computers in the hour before the chancellor’s speech.
OBR chairman Richard Hughes called in a leading cyber-security expert to investigate how the crucial document was put on its website too early.
At the time, Mr Hughes said he was “personally mortified” by the mistake and acknowledged the “deep disruption” it caused.
On Monday its report into the mishap concluded it had “inflicted heavy damage on the OBR’s reputation”.
“It is the worst failure in the 15-year history of the OBR,” the report said.
It added: “It was seriously disruptive to the Chancellor, who had every right to expect that the EFO (economic and fiscal outlook) would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.”
Chancellor Rachel Reeves’s Budget was thrown into chaos when the OBR’s forecast – which contained the measures she was about to announce – was discovered online.
The OBR assesses the health of the UK’s economy. It is independent of the government but works closely with the Treasury.
Its reports are released alongside big government events such as the Budget.
Details of the Budget are supposed to be kept under wraps until the chancellor announces them in the House of Commons, due to them being market-sensitive.
But early publication of the OBR’s report effectively confirmed a number of new measures, including a pay-per-mile charge on electric vehicles, and a three-year freeze on income tax and National Insurance thresholds.
The OBR quickly removed the forecast document from its website and apologised for the release, which it blamed on a “technical error”. Monday’s report also found that somebody gained early access to the equivalent financial forecasts in March while Reeves was delivering her Spring Statement, though they did not act on the information.
Despite having brought in Ciaran Martin, the former chief executive of the National Cyber Security Centre to lead the investigation, the OBR concluded there was no reason to suspect the involvement of foreign actors or cyber-criminals, or of “connivance by anyone working for the OBR”.
Prof Martin’s technical account was that the OBR analysis was available at a hidden url for 38 minutes between 11:30 and 12:08 on the morning of the Budget. The document was accessed 43 times from 32 different IP addresses.
An attempt was made to access the URL as early as 05:16. The review did not seek to trace who accessed or attempted to access the document.
Prof Martin concluded this was a pre-existing weakness in the OBR publication system, because, unknown until now, at the Spring Statement in March, there was a “premature access” to that OBR forecast web address, five minutes after the chancellor started giving her Commons speech, but half an hour before normal publication.
Prof Martin suggests this could have been accidental, but it led him to conclude the issue was not new.
On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data. While OBR staff thought they had applied safeguards to prevent early publication, the way in which they were set up on the publishing platform WordPress effectively bypassed these controls.
The OBR got an exemption in 2013 from using a more secure government publishing platform for independent authorities in order to help with its autonomy. In other IT security areas, such as secure email, the OBR had adopted the secure Treasury systems.
The OBR’s report also hit out at the slew of leaks seen in the run-up to the Budget, calling for them to be “taken very seriously by institutions from which leaks emerge”, and saying such leaks should be “greatly deplored”.
A Treasury spokesperson thanked the OBR for its report and said a minister would respond “in due course”.
