The fiscal forecast by the Office for Budget Responsibility (OBR), which revealed the contents of the record-breaking tax rise budget, was accessed at 11.35am last Wednesday, about an hour before Ms Reeves stood up to deliver it.
An investigation ordered by the independent fiscal forecaster soon after the budget found there was “nothing to suggest” the premature access was the result of “hostile cyber activity by foreign actors or cyber criminals, or of connivance by anyone working for the OBR”.
“Nor was it simply a matter of pressing the publication button on a locally managed website too early,” the report says.
It concluded that “configuration errors” led to “a failure to ensure the protections which hide documents from public view immediately before publication were in place”.
“The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR,” the investigation said.
OBR chair Richard Hughes has been under pressure to explain the leak, which he immediately apologised for, and ordered the investigation.
It is also led by Professor David Miles and Tom Josephs, with Baroness Sarah Hogg and Dame Susan Rice as non-executive members.
There are 52 permanent staff, who are civil servants, with six of those working on the strategy, operations and communications team.
The report partly blamed the Treasury and the Cabinet Office, as the OBR’s IT services were moved onto the Treasury’s shared systems in 2023 to “align more closely with Treasury security arrangements”, particularly around the sharing of sensitive budget information between the OBR and Treasury.
It said the Treasury should pay “greater attention” when setting the OBR’s budget, currently £6.4m, to the need for adequate support.
The investigation said there was pressure on the small team involved to ensure the full economic and fiscal outlook was published when the chancellor sat down after giving her budget, so a pre-publication “facility” was used.
But this commonly used device created a “potential vulnerability if not configured properly” and had not received the same amount of attention by the OBR as it had placed on security of communications with the Treasury “during the long period of run-up to the budget”.
An outside web developer, who has helped the OBR team since it came into existence 15 years ago, assists the internal team and manages content and uploads at times of pressure, including the release of the budget forecast.
The report said the risks of this approach have increased over the years as technologies have developed and online threats have risen.
“With hindsight, it is clear that over the years this arrangement should have been regularly reexamined and assessed by the management of the OBR,” the report said.
It recommended the process for publishing forecasts should “immediately” be removed from the OBR’s locally managed website, which is a WordPress website, and published as part of a government website.
This breaking news story is being updated and more details will be published shortly.
Please refresh the page for the fullest version.
You can receive Breaking News alerts on a smartphone or tablet via the Sky News App. You can also follow @SkyNews on X or subscribe to our YouTube channel to keep up with the latest news.
