Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Rachel Reeves’ market-sensitive Spring Statement was accessed many more times than previously thought after it was released online early by the UK fiscal watchdog in March last year, a review will say this week.
The Office for Budget Responsibility’s forecasts for the 2025 fiscal event were accessed a “low double digit” number of times, rather than the one time recorded in a probe by the watchdog, said two people familiar with an imminent report by the National Cyber Security Centre.
The NCSC will also say that the OBR’s separate leak of the November 2025 Budget was accessed tens of thousands of times, well above the 43 times recorded in the watchdog’s December investigation, the people added.
The findings of the review by the NCSC, a branch of signals intelligence agency GCHQ, are likely to raise fresh questions about the security of the OBR’s processes and if anyone benefited from its market-moving error late last year.
On November 26 the OBR published its economic and fiscal outlook — which contains market-sensitive economic forecasts, policy costings and judgments on the government’s fiscal rules — about an hour before the chancellor delivered the Budget.
The early release sparked volatile trading on bond markets on Budget day as investors sought to digest the near-200-page document and later led to the resignation of Richard Hughes as chair of the independent forecaster.
The people familiar with the NCSC report — which was commissioned by the Treasury and builds on a December report led by the OBR — said it would not identify the first people to access the Spring Statement and November Budget documents.
There will be no suggestion of a cyber attack in either case, they said.
The December report into the OBR breach — which described the episode as the “worst failure in the 15-year history” of the watchdog — said “a total of 43 requests . . . from 32 unique IP addresses” to the URL containing the Budget report were successful before it was taken down.
Referring to the Spring Statement, it added: “The logs show that one IP address successfully accessed the document at 12.38pm, five minutes after the chancellor had started speaking and nearly half an hour before publication.”
The report found there were “some indications” that the Spring Statement documents in March had been accessed from inside the government.
But one of the people familiar with the NCSC review said this was now “not certain”.
Ciaran Martin, former head of the NCSC who advised the OBR’s December report, said: “When I handed on my work to the NCSC team, I told them that logs not available to me in early December had emerged which would likely show far more downloads than initially thought. That seems to have been confirmed.
“From what I know the new data doesn’t change the fundamental story of how misconfiguration of publishing tools caused the error, how there were a small but sustained number of attempts to access the document before the media publication and the revelation that the previous financial statement in March 2025 was similarly vulnerable,” he added.
Calling for “deeper forensic examination” of processes around recent fiscal events, the OBR’s December report found that the watchdog routinely uploaded its documents online before publication time to facilitate “immediate and widespread access” to them at the appropriate time.
But the OBR wrongly assumed that it had configured its website, which it managed using WordPress software, to prevent early access.
The NCSC report will make a similar finding, the people said.
The OBR report cast blame on the Treasury and Cabinet Office for failing to fix flaws in the watchdog’s process but said “ultimate responsibility” for the leak lay “with the leadership” of the forecaster, set up in 2010.
The OBR and the Treasury declined to comment. The NCSC did not immediately respond to a request for comment.