Archie Mitchell,Business reporterand
Faisal Islam,Economics editor
BBC
Chair of the OBR Richard Hughes said he took “full responsibility” for the shortcomings identified in the report
The chairman of the Office for Budget Responsibility (OBR) has resigned following the Budget day error which saw a key document published early.
Richard Hughes said in his resignation letter he took “full responsibility” for the issues that were identified in the OBR’s investigation into the error.
That investigation found the early publication of the OBR’s forecasts was the worst failure in the organisation’s 15-year history.
The UK’s official forecaster confirmed the market-sensitive report was accessed 43 times from 32 different devices in the hour before the chancellor’s speech.
In a letter sent to both the chancellor and the chair of the Treasury Select Committee, Dame Meg Hillier, Mr Hughes said he believed the OBR could “quickly regain and restore the confidence and esteem” it had earned by implementing the report’s recommendations.
“But I also need to play my part in enabling the organisation that I have loved leading for the past five years to quickly move on from this regrettable incident,” he continued.
“I have, therefore, decided it is in the best interest of the OBR for me to resign as its Chair and take full responsibility to the shortcomings identified in the report.”
As news of Mr Hughes’s resignation broke, Chief Secretary to the Treasury James Murray, who was speaking in the House of Commons, said: “May I put on record on behalf of the government our thanks to Richard Hughes for his dedication to public service.”
Following the Budget day leak, Mr Hughes called in a leading cyber-security expert to investigate how the crucial document was put on its website too early.
On Monday the report into the mishap concluded it had “inflicted heavy damage on the OBR’s reputation”, but added that it was inadvertent.
The “ultimate responsibility” for the circumstances which meant people could access the report early lay with the OBR’s leadership, the report added.
“It is the worst failure in the 15-year history of the OBR,” the report said.
“It was seriously disruptive to the chancellor, who had every right to expect that the EFO (economic and fiscal outlook) would not be publicly available until she sat down at the end of her Budget speech, when it should, as is usual, have been published alongside the Treasury’s explanatory Red Book.”
Monday’s report also found that somebody gained early access to the equivalent financial forecasts in March while Reeves was delivering her Spring Statement, though they did not act on the information.
Chancellor Rachel Reeves’s Budget was thrown into chaos when the OBR’s forecast was discovered online.
The OBR assesses the health of the UK’s economy. It is independent of the government but works closely with the Treasury.
Its reports are released alongside big government events such as the Budget, details of which are supposed to be kept under wraps until the chancellor announces them in the House of Commons.
The OBR’s early publication effectively confirmed a number of new measures, including a pay-per-mile charge on electric vehicles, and a three-year freeze on income tax and National Insurance thresholds, before the chancellor announced them.
The OBR quickly removed the forecast document from its website and apologised for the release, which it blamed on a “technical error”.
Pre-existing weakness
The OBR brought in Ciaran Martin, the former chief executive of the National Cyber Security Centre, to lead the investigation into how the forecasts were accessed early.
However, the OBR concluded there was no reason to suspect the involvement of foreign actors or cyber-criminals, or of “connivance by anyone working for the OBR”.
Prof Martin’s technical account was that the OBR analysis was available at a hidden url for 38 minutes between 11:30 and 12:08 on the morning of the Budget.
An attempt was made to access the URL as early as 05:16. The review did not seek to trace who accessed or attempted to access the document.
Prof Martin concluded this was a pre-existing weakness in the OBR publication system because of the premature access to March’s forecasts. Prof Martin said that breach, half an hour before when it should have been published, could have been accidental, but it led him to conclude the issue was not new.
On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data.
While OBR staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up on the publishing platform WordPress that effectively bypassed these controls.
WordPress is a content management system, and is said to be the most popular tool of its kind for creating and designing web pages.
One error was to do with a plug-in (an optional extra) the OBR had installed in WordPress, which had the unintended effect of bypassing the need to log in to access documents intended for future publication.
And the second was the directory in which the file was put ahead of publication allowed anyone to download a file directly.
The OBR got an exemption in 2013 from using a more secure government publishing platform for independent authorities in order to help with its autonomy. In other IT security areas, such as secure email, the OBR had adopted the secure Treasury systems.
A Treasury spokesperson thanked the OBR for its report and said a minister would respond “in due course”.
