Last year's November Budget was accessed over 24,000 times before Rachel Reeves addressed Parliament, according to the National Cyber Security Centre (NCSC). It was discovered that the March 2025 Budget had also suffered unauthorised access. As a result, stricter security procedures are to be introduced at both the Office for Budget Responsibility (OBR) and HM Treasury (HMT).
On the day of last year's Budget, 26 November, at 11.35, just under one hour before the Chancellor was due to speak, the content of the Office for Budget Responsibility’s (OBR) Economic and Fiscal Outlook (EFO) was leaked.
The National Cyber Security Centre's (NCSC) review into the Office for Budget Responsibility’s budget report failures concluded there was no evidence that the premature access to the report was the result of hostile cyber activity, connivance or someone pressing the publication button too early.
Early access to the November 2025 Economic and Fiscal Outlook (EFO) was due to a technical misconfiguration in the OBR’s web publication process, in part due to third-party computer service providers. The OBR's EFO is published on Budget Day to show the effects of new Government policy relative to a ‘pre-measures’ forecast reflecting changes in significant economic and fiscal variables.
The NCSC also looked at the leak of information regarding Income Tax to the Financial Times on 13 November 2025 in the story ‘Starmer and Reeves drop proposal to raise income tax rates in Budget’. After interviewing more than 60 members of staff, ministers and special advisers across HM Treasury (HMT), No.10 and the Cabinet Office, no one was identified as the source of the unauthorised disclosure.
The report emphasised that ‘Macpherson Principles’, which determine what information can and cannot be pre-briefed in public and/or with the media, will continue to apply. The ‘Parliament-first’ principle also remained applicable.
The investigation found:
- The use of some kind of automation to repeatedly attempt to access the EFO early.
- 520 of the 534 attempts come from the same User Agent, 60-90 seconds apart, in three blocks of several hours each.
- 520 attempts come from only four IP addresses, all of which are linked to the same Internet Service Provider. Although unproven, one hypothesis is that they originated from the same individual and/or organisation.
- After the first successful early access attempt, the original EFO was downloaded in full at least 24,701 times and not 43 times as originally reported in the OBR investigation.
- There were also 16 incidents of successful access to the March 2025 EFO. The NCSC could not examine earlier years because the technical logs had been deleted.
Actions
The principal changes, which will be introduced ahead of Budget 2026, are:
- The EFO will be published on the GOV.UK site by HM Treasury (HMT) on the OBR’s behalf.
- This precedes a permanent move by the OBR to using the GOV.UK platform for market-sensitive publications.
- A set of mandatory embedded protection actions within the IT systems to restrict the extent to which Budget material can be shared, including across departmental boundaries.
- Measures will include preventing the sending of attachments; limiting access to named lists and restricting the functionality for those accessing information to print or download; and with the ability to monitor and record access.
- Link these protections to the introduction of a new ‘BUDGET MARKET SENSITIVE’ sensitivity label for the most sensitive categories of Budget and forecast information.
- Reducing the number of officials who can routinely access the most sensitive information.
External links
NCSC report: Early access to OBR Economic and Fiscal Outlook: NCSC analysis and technical recommendations