Official budget forecasts were accessed almost 25,000 times before they were officially published following a leak in the Office for Budget Responsibility, according to new research by the UK’s cyber security agencies.
A report from the National Cyber Security Center found that documents produced by the Office for Budget Responsibility were downloaded “at least” 24,701 times in the hour before Rachel Reeves gave her budget speech on November 26.
The number is well above the 43 downloads mentioned in an initial internal review. The NCSC said the first full download of the OBR forecasts came just after 11.35am on Budget day, almost an hour before the Chancellor addressed the House of Commons, after more than 500 attempts to access them failed.
According to the report, links to the documents then spread rapidly on social media, leading to tens of thousands of downloads. Within 30 minutes, there were 20,547 successful downloads from more than 10,000 unique IP addresses.
The investigation also found that Ms Reeves’ spring statement had been accessed 16 times last March before the speech, contradicting previous claims that there had been no prior access.
The leak led to the resignation of Richard Hughes, who resigned as OBR chairman after the organization described the incident as the worst failure in its 15-year history.
The early release of the forecasts confirmed several budget measures ahead of the speech, including changes for middle-income homeowners and an expansion of hidden tax measures. The revelation is understood to have caused significant disruption in the final moments before the Chancellor’s address.
Kenny MacAulay, managing director of accounting software company Acting Office, criticized the handling of sensitive information. “It is hard to imagine that market-sensitive data could end up in the hands of tens of thousands of people due to sloppy document management in the run-up to such an important event,” he said. “Basic compliance requirements should prevent leaks of this nature.”
Graeme Stewart, head of public sector at Check Point, said the breach posed serious risks. “With tens of thousands able to access the full economic forecast in advance, the possibility of market manipulation by hackers or fraudsters is enormous,” he said, calling for a fundamental rethink of publication processes.
Mr Hughes’ departure followed weeks of tension between the Treasury and the OBR after the regulator downgraded its long-term growth outlook for the UK economy. Ms Reeves was later accused by critics of misleading the public about the state of public finances after government briefings painted a bleaker picture than subsequent data suggested.
The Treasury Department said it was taking steps to strengthen security and protect the integrity of economic forecasts. Future OBR documents will now only be published via the government’s official website to prevent a repeat of the breach.
