Budget Documents Downloaded Thousands of Times Before Official Release
An official report into a significant budget leak has revealed that sensitive fiscal documents were accessed nearly 25,000 times before their formal release, raising serious questions about the data handling protocols of the UK's fiscal watchdog. The National Cyber Security Centre (NCSC) investigation identified at least 24,701 successful downloads of the budget document, a staggering increase from the initial review that had spotted just 43 accesses.
Timeline of the Security Breach
The first successful request to access the budget materials occurred at 11:35 on 26th November, according to the NCSC findings. The IP address responsible for this initial access had made 32 unsuccessful attempts throughout the morning before finally gaining entry to the sensitive documents. Within minutes, Reuters began publishing details of the budget at 11:41, with the full documents subsequently circulating widely across social media platforms.
This premature publication created substantial embarrassment for the Office for Budget Responsibility, ultimately forcing the resignation of Richard Hughes from his position as chair. The leak exposed all details of the government's final budget before Chancellor Rachel Reeves had the opportunity to deliver her official speech to Parliament.
Additional Security Vulnerabilities Uncovered
The NCSC investigation also discovered that the spring statement in March had been accessed 16 times rather than the single instance initially identified. The report concluded that the documents became publicly available due to a "misconfiguration of the way in which WordPress was implemented" rather than hostile cyber activity or premature manual publication.
Government Response and Reforms
In response to these security failures, the NCSC has recommended that all market-sensitive publications should be published exclusively through the official GOV.UK platform in future. The Treasury conducted its own review into the handling of sensitive information following a separate leak to the Financial Times that revealed ministers had abandoned a proposal to increase a key levy by 2p in the run-up to the budget.
Although investigators were unable to identify the source of this particular leak, the Treasury announced a series of internal changes designed to limit access to market-sensitive information. Fewer officials will now have clearance to view such materials before their official release dates.
Changes to Budget Forecasting Procedures
The Treasury has also announced that the Office for Budget Responsibility will not publish the full forecast timetable ahead of the 2026 Spring Statement. This represents a significant shift from current practice where the OBR creates multiple 'pre-measures' forecasts that assess the economy's health without considering government policy impacts.
These forecasts, which determine the Chancellor's available fiscal space, are typically prepared according to a pre-published timetable that allows commentators to speculate about potential changes based on macroeconomic developments. The Treasury noted that "the nature of the OBR's pre-measures forecast, and how it may change between each of the pre-measures forecast rounds, is often the subject of considerable debate and speculation by economic commentators and the media."
The OBR will now reconsider whether the current approach to publishing its timetable continues to support transparency and stability ahead of Budget 2026, marking a potential turning point in how sensitive economic information is managed and released to the public.
