OBR head resigns over Budget leak

BBC

The Office for Budget Responsibility (OBR) has said the early publication of a key Budget document was the worst failure in its 15-year history but said it was inadvertent.

The UK's official forecaster confirmed the market-sensitive report was accessed 43 times from 32 different computers in the hour before the chancellor's speech.

OBR chairman Richard Hughes called in a leading cyber-security expert to investigate how the crucial document was put on its website too early.

At the time, Mr Hughes said he was "personally mortified" by the mistake and acknowledged the "deep disruption" it caused.

On Monday its report into the mishap concluded it had "inflicted heavy damage on the OBR's reputation".

"It is the worst failure in the 15-year history of the OBR," the report said.

It added: "It was seriously disruptive to the chancellor, who had every right to expect that the EFO (economic and fiscal outlook) would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury's explanatory Red Book."

Chancellor Rachel Reeves's Budget was thrown into chaos when the OBR's forecast - which contained the measures she was about to announce - was discovered online.

The OBR assesses the health of the UK's economy. It is independent of the government but works closely with the Treasury.

Its reports are released alongside big government events such as the Budget.

Details of the Budget are supposed to be kept under wraps until the chancellor announces them in the House of Commons.

But early publication of the OBR's report effectively confirmed a number of new measures, including a pay-per-mile charge on electric vehicles, and a three-year freeze on income tax and National Insurance thresholds.

The OBR quickly removed the forecast document from its website and apologised for the release, which it blamed on a "technical error". Monday's report also found that somebody gained early access to the equivalent financial forecasts in March while Reeves was delivering her Spring Statement, though they did not act on the information.

Prof Martin's technical account was that the OBR analysis was available at a hidden url for 38 minutes between 11:30 and 12:08 on the morning of the Budget. The document was accessed 43 times from 32 different IP addresses.

An attempt was made to access the URL as early as 05:16. The review did not seek to trace who accessed or attempted to access the document.

Prof Martin concluded this was a pre-existing weakness in the OBR publication system because of the premature access to March's forecasts. Prof Martin said that breach, half an hour before when it should have been published, could have been accidental, but it led him to conclude the issue was not new.

On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data.

While OBR staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up on the publishing platform WordPress that effectively bypassed these controls.

WordPress is a content management system, and is said to be the most popular tool of its kind for creating and designing web pages.

One error was to do with a plug-in (an optional extra) the OBR had installed in WordPress, which had the unintended effect of bypassing the need to log in to access documents intended for future publication.

And the second was the directory in which the file was put ahead of publication allowed anyone to download a file directly.

The OBR got an exemption in 2013 from using a more secure government publishing platform for independent authorities in order to help with its autonomy. In other IT security areas, such as secure email, the OBR had adopted the secure Treasury systems.