Official Budget forecasts were accessed almost 25,000 times before their formal release after a leak at the Office for Budget Responsibility, according to a new investigation by the UK’s cyber security authorities.
A report by the National Cyber Security Centre found that documents prepared by the Office for Budget Responsibility were downloaded on “at least” 24,701 occasions in the hour before Rachel Reeves delivered her Budget speech on 26 November.
The figure is far higher than the 43 downloads cited in an initial internal review. The NCSC said the first full download of the OBR’s forecasts occurred shortly after 11.35am on Budget day, almost an hour before the Chancellor addressed the Commons, following more than 500 failed access attempts.
According to the report, links to the documents then spread rapidly on social media, leading to tens of thousands of downloads. Within 30 minutes, there were 20,547 successful downloads from more than 10,000 unique IP addresses.
The investigation also revealed that Ms Reeves’s Spring Statement last March had been accessed 16 times before the speech was delivered, contradicting earlier claims that there had been no prior access.
The leak prompted the resignation of Richard Hughes, who stepped down as OBR chairman after the organisation described the incident as the most serious failure in its 15-year history.
The premature release of the forecasts confirmed several Budget measures ahead of the speech, including changes affecting middle-income homeowners and an extension of stealth tax measures. The disclosure is understood to have caused significant disruption in the final moments before the Chancellor delivered her address.
Kenny MacAulay, chief executive of accounting software firm Acting Office, criticised the handling of sensitive information. “It beggars belief that market-sensitive data could fall into the hands of tens of thousands of people due to sloppy document management ahead of such an important event,” he said. “Basic compliance requirements should prevent leaks of this nature.”
Graeme Stewart, head of public sector at Check Point, said the breach exposed serious risks. “With tens of thousands able to access the full economic forecast in advance, the opportunity for market manipulation by hackers or fraudsters was immense,” he said, calling for a fundamental rethink of publication processes.
Mr Hughes’s departure followed weeks of tension between the Treasury and the OBR, after the watchdog downgraded its long-term growth outlook for the UK economy. Ms Reeves was later accused by critics of having misled the public over the state of the public finances, after government briefings painted a bleaker picture than subsequent data suggested.
The Treasury said it was taking steps to strengthen security and safeguard the integrity of economic forecasts. Future OBR documents will now be published exclusively via the government’s official website, in an effort to prevent a repeat of the breach.
Read more:
NCSC reveals Budget forecasts accessed almost 25,000 times before publication
