The unprecedented leak of last week’s Budget was the worst failure in the Office for Budget Responsibility’s 15-year history, a damning new report has said, as it revealed the error had happened before during the chancellor’s spring statement.
The investigation concluded that the OBR’s leadership must take “immediate steps to change completely” how it publishes reports containing sensitive forecasts after official analysis documents were uploaded to the watchdog’s website, releasing details of the Budget almost an hour early.
The report raises major questions for OBR chair Richard Hughes, as it concluded that “ultimate responsibility” for the set of circumstances which led to leak rests with the leadership of the watchdog itself.
But it also said the Treasury and the Cabinet Office should have addressed the fact the OBR’s operation was “significantly underpowered” by the either changing the way it published its analysis documents or increasing the watchdog’s resources.
The Economic and Fiscal Outlook (EFO) document appeared online before the chancellor delivered her Budget, a significant blunder that prompted an immediate investigation by the OBR.
The fiscal watchdog apologised for the leak and launched an investigation with expert input from Professor Ciaran Martin, former head of the National Cyber Security Centre (NCSC).
The probe found that the early release of the documents was caused by two errors linked to the WordPress publishing site it used.
The report said the watchdog had wrongly assumed that, while it knew web addresses for its files follow a pattern, it assumed the protections provided by WordPress “would ensure it could not be accessed”.
It also said the download monitor plug-in for WordPress, which bypassed the need for authentication, was “not understood” within the OBR and should not have been used.
The damning report also revealed that the latest breach was not the first, admitting that the forecasts published alongside the March spring statement were also “accessed prematurely”.
Logs indicated the March forecast’s IP address was accessed five minutes after the chancellor started speaking to Parliament and nearly half-an-hour before it should have been published.
“There is no evidence of any activity being undertaken as a result of that access, and he concludes the most likely explanation is benign”, the report adds.
In the foreword to the report, Baroness Sarah Hogg and Dame Susan Rice, non-executive members at the OBR, said of the early publication: “It is the worst failure in the 15-year history of the OBR.
“It was seriously disruptive to the chancellor, who had every right to expect that the EFO would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.
“The chair of the OBR, Richard Hughes, has rightly expressed his profound apologies.”
The two non-executive directors added: “The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR.
“The OBR is a small analytical organisation with resources that reflect its size. The twice-yearly task of publishing a large and sensitive document is out of scale with virtually all of the rest of its publication activities.
“Professor Martin notes that protocols for the EFO’s publication ‘reveal a well-planned but significantly underpowered operation(…) more akin to that used by a small or medium-sized business (which of course in size the OBR resembles)’.
“Responsibility for addressing this challenge by either changing the method of publication or substantially increasing the resources devoted to it rested over the years with the leadership of the OBR but also with the sponsoring department, the Treasury, and the Cabinet Office.”
Over the weekend, the chancellor declined to say whether she thought Mr Hughes would have to resign, but said she had “a huge amount of respect” for both him and his organisation.
Last week, Mr Hughes said he had been “mortified” by the leak and told an event hosted by the Resolution Foundation that he would resign if he lost the confidence of Rachel Reeves and the Commons Treasury Committee.
