The Office for Budget Responsibility chairman Richard Hughes has quit to allow the watchdog to “quickly move on” from last week's leak.
His resignation comes after a scathing report described the inadvertent release of the forecasts last week as the “worst failure” in its history.
Although it did not blame him specifically, it made clear that “ultimate responsibility for the circumstances in which this vulnerability occurred and was then exposed rests, over the years, with the leadership of the OBR".
The November Economic and Fiscal Outlook (EFO) was mistakenly made public for 38 minutes on Budget day, allowing journalists, MPs and members of the public to obtain details almost an hour before the Chancellor rose to her feet in the Commons.
An investigation by Professor Ciaran Martin, the former head of the National Cyber Security Centre, revealed this was the second time highly sensitive information had been accidentally leaked by the OBR.
Read more
- Who is Ciaran Martin, the cyber expert now investigating the OBR budget leak?
- OBR leak - why does it matter and what is the Office for Budget Responsibility?
- Watchdog leak of Budget could be 'criminal' offence, government warned
Logs show that one government-linked IP address successfully accessed the March EFO, produced alongside the spring statement, at 12:38pm, around half an hour before publication.
Professor Martin found no evidence of hostile cyber activity or insider wrongdoing. Instead, he identified longstanding technical weaknesses on the OBR’s locally managed website, including misconfigured WordPress tools designed to keep documents hidden.
While staff believed the system protected files uploaded in advance, the security features were simply not programmed correctly.
That meant anyone who guessed the OBR’s predictable file-name could download the full EFO.
Attempts began as early as 5:16am, with 44 unsuccessful requests logged before the document was uploaded shortly after 11:30am.
Within minutes of upload, access was possible without authentication, and the forecast was downloaded 43 times from 32 unique IP addresses.
OBR staff only realised the source after Treasury officials drew their attention to the live URL shortly before noon.
Read more
- What today’s Budget means for Scottish pensioners
- Revenue-raisers take centre stage in Chancellor's budget
- Chaotic UK Budget raises investment and recruitment concerns
The incident triggered a frantic scramble inside the organisation.
The OBR initially struggled to take down the document due to the website buckling under surging traffic.
The PDF was renamed and then removed shortly after 12:07pm — by which point the Internet Archive had already briefly cached it.
The report is scathing about the systemic failings that allowed the leak to happen, concluding it was “the worst failure in the 15-year history of the OBR”.
Given the “high likelihood” that the vulnerabilities affected other fiscal events, the report calls for an urgent forensic digital audit covering recent EFO publications.
A major recommendation is that the OBR should no longer publish its flagship forecasts on its own locally managed WordPress site, which has only a handful of staff and relies heavily on a single external web developer.
The watchdog’s wider IT systems were integrated into the Treasury’s secure network last year, but its website remains outside the gov.uk architecture due to a 2013 exemption intended to safeguard its independence.
The system must be overhauled well before the Spring 2026 EFO, the report warns, noting that “success among those seeking premature access this time will certainly encourage future attempts”.
The watchdog’s limited size — 52 staff, only six of who handle operations and communications — was a key contributing factor, the report argues.
It urges the Treasury to “pay greater attention” to funding the OBR’s publishing and IT capabilities and calls for regular independent security reviews.
Treasury minister James Murray told the Commons: “Last Wednesday, before the Chancellor had begun to give her Budget speech, the Office for Budget Responsibility published their entire EFO online.
“Let me be clear, this is a very serious breach of highly sensitive information.
“It is a fundamental breach of the OBR’s responsibility. It is a discourtesy to this House, and it should never have happened.”
He said the Government backed a “deeper forensic investigation” into OBR disclosures.
“I can confirm the Treasury will be making contact with previous chancellors to make them aware of the developments that relate to previous fiscal events,” Mr Murray said.
He later added: “The Government will be working in conjunction with a National Cyber Security Centre to take forward the recommendation that a forensic examination of other fiscal events is carried out, although let me specifically note for the House that the report finds no evidence of hostile cyber activity.
“In addition, the report says that they could not in the time available carry out a deeper forensic examination of other recent Economic and Fiscal Outlook events, and we recommend that such an exercise is, with expert support, urgently carried out.
“We will make sure that work is carried out urgently.”
In a letter to Ms Reeves and Treasury select committee chair Dame Meg Hillier, Mr Hughes said: “I need to play my part in enabling the organisation that I have loved leading for the past five years to quickly move on from this regrettable incident.
“I have, therefore, decided it is in the best interest of the OBR for me to resign as its Chair and take full responsibility to the shortcomings identified in the report.”