The leak occurred when Chancellor Rachel Reeves' Budget policies were published online before her Commons speech. Photo / Getty Images
The chairman of the UK’s Office for Budget Responsibility (OBR) has resigned after an inquiry found the watchdog’s Budget leak to be the “worst failure” in its history.
Richard Hughes stepped down after the release of a report into the OBR’s publication of Chancellor Rachel Reeves’ Budget policies on its website about 45 minutes before she spoke in the Commons.
The internal report, published on Monday, tried to shift some of the blame to the Treasury, concluding that its failure to give sufficient funding to the OBR’s online operation was partly to blame for the failings.
However, it also revealed that previous leaks had occurred but had gone unnoticed, fuelling concerns about security lapses under Hughes’ watch.
In a resignation letter to Reeves and Dame Meg Hillier, the chairman of the Treasury select committee, Hughes said he needed to “play my part in enabling the organisation that I have loved leading for the past five years to quickly move on from this regrettable incident”.
He added: “I have, therefore, decided it is in the best interest of the OBR for me to resign as its chair and take full responsibility for the shortcomings identified in the report.”
His resignation came two hours after the OBR published its report into the error, which said: “The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR.”
It added: “We are in no doubt that this failure to protect information prior to publication has inflicted heavy damage on the OBR’s reputation. It is the worst failure in the 15-year history of the OBR.
“It was seriously disruptive to the Chancellor, who had every right to expect that the Economic and Fiscal Outlook (EFO) would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.
“The chair of the OBR, Richard Hughes, has rightly expressed his profound apologies.”
Hughes ordered an investigation last week after the fiscal watchdog published Reeves’ Budget policies early in a move the report said was “seriously disruptive” to the Chancellor.
The inquiry, led by Laura Gardiner, the OBR chief of staff, and advised by Professor Ciaran Martin, a former chief executive of the National Cyber Security Centre, rejected suggestions the leak was the result of a hack and instead exposed “pre-existing” weaknesses in the OBR’s IT systems.
Their report revealed that the Economic and Fiscal Outlook was available online between 11.30am and 12.08pm, and was accessed 43 times by 32 unique users during that time. The web address was the same as the one used for the fiscal statement in March, with only the month changed, making it relatively easy for people to find the documents.
The files were first accessed at 11.35am by a user who had tried to connect to it on more than 30 previous occasions. At 11.41am, the details were leaked by Reuters – almost an hour before the Chancellor’s fiscal statement, which began just after 12.30pm.
It also emerged that previous documents had been published under Hughes’ watch in March, when the OBR’s assessment of Reeves’ financial statement was also published online half an hour before it should have been, but no one noticed.
The report authors said they did not have time to investigate whether anyone had gained access to other documents before publication, but said: “It appears that the March 2025 Economic and Fiscal Outlook was accessed prematurely on one occasion, though there is no evidence of any activity being undertaken as a result of that access, and he concludes the most likely explanation is benign.
“It is essential that a more detailed forensic digital audit of some of the most recent fiscal events is undertaken to establish, in so far as is possible from the data, whether these outstanding issues about the proper application of pre-publication procedures previously gave rise to other cases of premature access.”
The inquiry warned that last week’s leak fiasco could prompt dishonest attempts to obtain documents in advance at the next fiscal event, saying: “We believe that the security of the EFO is paramount, especially in spring 2026, not least because success among those seeking premature access this time will certainly encourage future attempts.”
However, the investigation said there was “nothing to suggest that the failure to protect” the documents “was the result of hostile cyber activity by foreign actors or cyber criminals, or of connivance by anyone working for the OBR”.
The report added: “Nor was it simply a matter of pressing the publication button on a locally managed website too early. The cause, which appears to have been pre-existing, was, in essence, configuration errors which reflected systemic issues. These led to a failure to ensure the protections which hide documents from public view immediately before publication were in place.”
The watchdog’s report did attach some blame to the Treasury, finding that the OBR had been left “under-resourced for the task” of publishing the documents online.
The report also called on the Treasury to give the OBR more funding to improve the security of its website.
“We are therefore strongly of the view that completely new arrangements should be put in place for the publication of these major market and time-sensitive documents,” it said.
The report continued: “Tension is evident between the need to limit spending on arrangements which are only put to the test twice a year, and to limit the use of scarce resources on these events, with the need to ensure adequate protection through the process.
“The OBR does not have an ‘IT department’; responsibility is carried by very few individuals with many other tasks to fulfil. We recommend that the Treasury, in setting the OBR’s Budget, pays greater attention to the need for adequate support to be provided and/or adequate expertise to be fully funded.”
As well as calling on the Treasury to give it extra funding to allow it to beef up its security, the report also recommended that the OBR carry out an urgent review into the way it runs its website and called on other government departments to review their security arrangements.
Sign up to Herald Premium Editor’s Picks, delivered straight to your inbox every Friday. Editor-in-Chief Murray Kirkness picks the week’s best features, interviews and investigations. Sign up for Herald Premium here.