OBR Budget blunder had happened before, damning report reveals
The unprecedented leak of last week’s budget was the worst failure in the Office for Budget Responsibility’s 15-year history, a new report has said, revealing the mistake had previously occurred during the chancellor’s spring statement.
The investigation concluded that the OBR leadership must take “urgent steps to completely change” the way it publishes reports containing sensitive forecasts after Budget details were published almost an hour early, after official analysis documents were uploaded to the watchdog’s website.
The report raises important questions for OBR chairman Richard Hughes; because it concludes that “ultimate responsibility” for the conditions that led to the leak lies with the watchdog’s leadership.
But he also said the Treasury and Cabinet Office needed to address the fact that its operation was “significantly weak” by changing the way the OBR published analysis papers or by increasing the watchdog’s resources.
The Economic and Fiscal Outlook (EFO) document was published online before the Chancellor announced his Budget; This was a significant error which led to the OBR immediately launching an investigation.
The financial watchdog apologized for the leak and launched an investigation with expert input from Professor Ciaran Martin, former head of the National Cyber Security Center (NCSC).
The investigation found that the premature publication of documents was due to two errors linked to the WordPress publishing site used.
The report said the watchdog made the erroneous assumption that even though he knew the web addresses of his files followed a pattern, he assumed that the protections provided by WordPress would “ensure that these files could not be accessed.”
He also said that the WordPress download tracking plugin, which bypasses the need for authentication, is “not understood” within OBR and should not be used.
The damning report also revealed that the latest breach was not the first, and acknowledged that the forecasts published along with the March spring statement were also “prematurely accessed”.
Records show the March forecast’s IP address was accessed five minutes after the Chancellor began speaking to Parliament and around half an hour before it was due to be published.
“There is no evidence that any activity was conducted as a result of this access, and he concludes that the most likely explanation is bona fide,” the report states.
In a foreword to the report, OBR non-executive members Baroness Sarah Hogg and Dame Susan Rice said of the initial publication: “This is the worst failure in the OBR’s 15-year history.
“This was seriously devastating for the Chancellor, who was right to expect that the EFO would not be made public until he sat at the end of his Budget speech, which should have been published alongside the Treasury’s explanatory Red Book as usual.
“OBR chairman Richard Hughes rightly expressed his deep apologies.”
Two non-executive directors added: “Ultimate responsibility for the circumstances in which this vulnerability occurred and was subsequently exposed lies with the leadership of the OBR over the years.
“The OBR is a small analytical organization with resources that reflect its size. The task of publishing a large and sensitive document twice a year is out of scale with almost all other publishing activities.
“Professor Martin notes that the protocols for broadcasting the EFO reveal a ‘well-planned but significantly underpowered operation (…) more like that used by a small or medium-sized business (similar in size to the OBR, of course)’.
“The responsibility for meeting this challenge, either by changing the method of publication or by significantly increasing the resources devoted to it, has been the responsibility of the OBR’s leadership over the years, as well as the sponsorship department, the Treasury and the Cabinet Office.”
At the weekend the chancellor refused to say whether he thought Hughes would have to resign but said he had “great respect” for both him and his organisation.
Last week Mr Hughes said he was “embarrassed” by the leak and told an event hosted by the Resolution Foundation that he would resign if he lost the trust of Rachel Reeves and the House of Commons Treasury Committee.
