OBR Budget blunder had happened before, damning report reveals

1. News
2. UK
3. UK Politics

The report says ‘ultimate responsibility’ rests with the leadership of the OBR, raising major questions for the watchdog’s chair Richard Hughes

Sign up for the View from Westminster email for expert analysis straight to your inbox

Get our free View from Westminster email

Get our free View from Westminster email

I would like to be emailed about offers, events and updates from The Independent. Read our Privacy notice

The unprecedented leak of last week’s Budget was the worst failure in the Office for Budget Responsibility’s 15-year history, a damning new report has said, as it revealed the error had happened before during the chancellor’s spring statement.

The investigation concluded that the OBR’s leadership must take “immediate steps to change completely” how it publishes reports containing sensitive forecasts after official analysis documents were uploaded to the watchdog’s website, releasing details of the Budget almost an hour early.

The report raises major questions for OBR chair Richard Hughes, as it concluded that “ultimate responsibility” for the set of circumstances which led to leak rests with the leadership of the watchdog itself.

But it also said the Treasury and the Cabinet Office should have addressed the fact the OBR’s operation was “significantly underpowered” by the either changing the way it published its analysis documents or increasing the watchdog’s resources.

The Economic and Fiscal Outlook (EFO) document appeared online before the chancellor delivered her Budget, a significant blunder that prompted an immediate investigation by the OBR.

The fiscal watchdog apologised for the leak and launched an investigation with expert input from Professor Ciaran Martin, former head of the National Cyber Security Centre (NCSC).

The probe found that the early release of the documents was caused by two errors linked to the WordPress publishing site it used.

The report said the watchdog had wrongly assumed that, while it knew web addresses for its files follow a pattern, it assumed the protections provided by WordPress “would ensure it could not be accessed”.

It also said the download monitor plug-in for WordPress, which bypassed the need for authentication, was “not understood” within the OBR and should not have been used.

The damning report also revealed that the latest breach was not the first, admitting that the forecasts published alongside the March spring statement were also “accessed prematurely”.

Logs indicated the March forecast’s IP address was accessed five minutes after the chancellor started speaking to Parliament and nearly half-an-hour before it should have been published.

“There is no evidence of any activity being undertaken as a result of that access, and he concludes the most likely explanation is benign”, the report adds.

But Treasury minister James Murray told MPs he was “very concerned” to learn that the error may have seen the early release of previous forecasts.

He said: “That market sensitive information have been prematurely accessible to a small group of market participants is extremely concerning.

“That it might have been the case on more than one occasion is even more severe. We do not know at this stage the extent to which market behaviour may have been affected on this or other occasions as a result of information being available early.”

He also said the first IP address to successfully access the EFO had made 32 attempts that day, starting at around 5am - suggesting the person “had every confidence that persistence would lead to success”. “This unfortunately leads us to consider whether the reason they tried so persistently to access the EFO is because they have been successful at a previous fiscal event,” he said.

In the foreword to the report, Baroness Sarah Hogg and Dame Susan Rice, non-executive members at the OBR, said of the early publication: “It is the worst failure in the 15-year history of the OBR.

“It was seriously disruptive to the chancellor, who had every right to expect that the EFO would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.

“The chair of the OBR, Richard Hughes, has rightly expressed his profound apologies.”

The two non-executive directors added: “The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR.

“The OBR is a small analytical organisation with resources that reflect its size. The twice-yearly task of publishing a large and sensitive document is out of scale with virtually all of the rest of its publication activities.

“Professor Martin notes that protocols for the EFO’s publication ‘reveal a well-planned but significantly underpowered operation(…) more akin to that used by a small or medium-sized business (which of course in size the OBR resembles)’.

“Responsibility for addressing this challenge by either changing the method of publication or substantially increasing the resources devoted to it rested over the years with the leadership of the OBR but also with the sponsoring department, the Treasury, and the Cabinet Office.”

Over the weekend, the chancellor declined to say whether she thought Mr Hughes would have to resign, but said she had “a huge amount of respect” for both him and his organisation.

Last week, Mr Hughes said he had been “mortified” by the leak and told an event hosted by the Resolution Foundation that he would resign if he lost the confidence of Rachel Reeves and the Commons Treasury Committee.

More about

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Most popular

Popular videos

Bulletin

Read next