New detail published on how last year’s Budget leak happened

Budget, News,

The government has now published its Review into the 2025 Autumn Budget leak, explaining how the Office for Budget Responsibility’s (OBR) Economic and Fiscal Outlook (EFO) was accessible online an hour before the Chancellor was due to speak.

The Review sets out measures that will be taken to prevent future leaks.

What actually happened?

The National Cyber Security Centre’s investigation agreed with the OBR’s initial investigation, which found that the leak was a result of repeated attempts to access the webpage holding the EFO, rather than a hostile cyber-attack.

The fault lay in a ‘misconfiguration in the OBR’s website’. This meant that the webpage holding the report was accessible earlier than the OBR intended. Users who guessed the webpage address correctly based on previous reports were able to access the EFO early.

The investigation found that around 520 of the 534 early access attempts were linked to just four IP addresses from the same internet provider. Investigators believe it is reasonable to assume this was the same individual or organisation.

The one or more individuals who secured early access seem to have then used social media and messaging apps to spread word of the early access. In all, the EFO was downloaded 24,701 times before the mistake was noticed.

What will change for the future?

The OBR is due to publish an EFO at the time of the Spring Forecast announcement on 3 March 2026. Historically, the OBR has published these reports on its own website rather than a government website in order to maintain its independence.

However, because of the sensitivity of the information contained in the EFO, it will in future be published on GOV.UK by HM Treasury. HM Treasury stated that doing this will not give it access to any information ahead of time of which it is not already aware.

For future EFO and other market-sensitive publication releases, it’s planned that OBR will move to using GOV.UK.

In readiness for the 2026 Budget, likely to be held in the autumn, there are plans to bring in other internal measures that will enhance security and limit data access.

If you’d like to read the Budget Information Security Review in full, you can do so here

Business News

We send regular updates that keep clients aware of changes and suggestions on a wide range of subjects; if you’d like to receive those too, just add your details below and we’ll do the rest! We promise not to bombard you and you can unsubscribe at any time.

  • This field is for validation purposes and should be left unchanged.
If you've found this post helpful, please share it with others…