The chairman of the Office for Budget Responsibility (OBR) has resigned after an investigation into the leak of last week’s budget criticised the watchdog’s leadership.

Richard Hughes stepped down following the publication of a report into the early release of Rachel Reeves’s fiscal event.

The OBR’s official forecast, which revealed the contents of the record-breaking tax rise budget, was accessed at 11.35am last Wednesday, about an hour before the chancellor stood up to deliver it.

Latest updates from the Politics Hub

Image:
Rachel Reeves said she only found out about the leak when she was in the House of Commons

In a letter to Ms Reeves and the chairwoman of the Commons Treasury Committee Dame Meg Hillier, Mr Hughes said he was quitting to allow the OBR to “quickly move on from this regrettable incident”.

He said he took “full responsibility” for “the shortcomings identified in the report”.

Mr Hughes said: “By implementing the recommendations in this report, I am certain the OBR can quickly regain and restore the confidence and esteem that it has earned through 15 years of rigorous, independent economic analysis.”

More from Politics

An investigation ordered by the independent fiscal forecaster soon after the budget called the leak “the worst failure in the 15-year history of the OBR” and strongly criticised the watchdog’s processes for protecting sensitive information.

The probe found there was “nothing to suggest” the premature access was the result of “hostile cyber activity by foreign actors or cyber criminals, or of connivance by anyone working for the OBR”.

“Nor was it simply a matter of pressing the publication button on a locally managed website too early,” the report stated.

It concluded that “configuration errors” led to “a failure to ensure the protections which hide documents from public view immediately before publication were in place”.

“The ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR,” the investigation said.

Please use Chrome browser for a more accessible video player

Did Rachel Reeves mislead the nation with her budget?

Kemi Badenoch claimed that Ms Reeves was trying to use Mr Hughes as a “human shield”.

The Conservative leader said on social media: “More serious questions for the chancellor as she tries to make Richard Hughes her human shield.

“Her actions have turned this into a full blown political crisis for the government. If [Prime Minister] Keir Starmer had a backbone, he would have sacked Reeves long ago.”

Mr Hughes had been under pressure to explain the leak, which he immediately apologised for, and ordered the investigation.

It is also led by Professor David Miles and Tom Josephs, with Baroness Sarah Hogg and Dame Susan Rice as non-executive members.

There are 52 permanent staff, who are civil servants, with six of those working on the strategy, operations and communications team.

The report acknowledged the leak “changed the pattern of budget day to the chancellor’s disadvantage”.

Read more:
The budget’s key points
‘Of course I didn’t’ lie about budget forecasts – Reeves

OBR’s budget leak timeline on 26 November

5.10am: OBR website host emailed staff to confirm server modification to accommodate higher website traffic when the forecast is released

5.16am: A request was made to access the forecast document’s web address, but the PDF had not been uploaded yet. Between this time and 11.30am there were 44 unsuccessful requests to the URL from seven unique IP addresses

9am onwards: The web developer set up webpages in draft form in the content management system, creating IDS for all the downloads to be used across the website

11.02am: PDF documents were emailed to the web developer, including the forecast

11.03am-11.35am: The web developer began uploading documents to the draft area of the OBR website – which was understood by all involved not to be publicly accessible

11.35am: The first successful request to the document’s URL was made. This IP address had made 32 unsuccessful attempts at that URL that morning. There were 43 successful requests between this time and 12.07pm, from 32 unique IP addresses

11.41am: A Reuters news alert is the first evidence of the forecast being available publicly

11.43am: The OBR was first made aware by a non-Reuters journalist that Reuters was flashing forecast details. OBR staff, not knowing the URL was accessible even if known or guessed, found no evidence via webpages going live accidentally

11.50am onwards: Images and facts from the forecast began appearing widely online from many people

11.52am: Senior OBR and Treasury officials had a phone call to discuss the breach. Treasury staff made OBR staff aware of the URL

11.53am: OBR staff and the web developer tried to pull the PDF from the website, and to pull the entire website, but struggled to initially due to the website being overloaded with traffic

11.58am: A Reuters journalist emailed the OBR confirming they had published details and asked for a comment

12.07pm: The forecast PDF was renamed by the web developer, but it still appeared on the internet archive via search engines

12.08pm: The PDF was removed from the website’s content management system, taking it offline. The OBR chair and staff drafted a statement setting out what had happened and confirming its website was the source of the error

12.15pm: the statement was posted on the OBR’s website and on X

12.34pm: Chancellor’s budget statement began

1.38pm: The chancellor’s statement ended and the forecast and supporting documents were pushed live

It revealed the OBR’s spring statement 2025 was also accessed ahead of time, but said the likely explanation “is benign”.

And it said last week’s budget forecast document had multiple attempts to access it before it was inadvertently made accessible online.

The investigation partly blamed the Treasury and the Cabinet Office, as the OBR’s IT services were moved on to the Treasury’s shared systems in 2023 to “align more closely with Treasury security arrangements”, particularly around the sharing of sensitive budget information between the OBR and Treasury.

It said the Treasury should pay “greater attention” when setting the OBR’s budget, currently £6.4m, to the need for adequate support.

The investigation said there was pressure on the small team involved to ensure the full economic and fiscal outlook was published when the chancellor sat down after giving her budget, so a pre-publication “facility” was used.

But this commonly used device created a “potential vulnerability if not configured properly” and had not received the same amount of attention by the OBR as it had placed on security of communications with the Treasury “during the long period of run-up to the budget”.

Please use Chrome browser for a more accessible video player

Starmer says he did not mislead the public

An outside web developer, who has helped the OBR team since it came into existence 15 years ago, assists the internal team and manages content and uploads at times of pressure, including the release of the budget forecast.

The report said the risks of this approach have increased over the years as technologies have developed and online threats have risen.

“With hindsight, it is clear that over the years this arrangement should have been regularly reexamined and assessed by the management of the OBR,” the report said.

It recommended the process for publishing forecasts should “immediately” be removed from the OBR’s locally managed website, which is a WordPress website, and published as part of a government website.