The government has now published its Review into the 2025 Autumn Budget leak, explaining how the Office for Budget Responsibility’s Economic and Fiscal Outlook (EFO) was accessible online an hour before the Chancellor was due to speak.

The Review outlines the steps that will be taken to ensure a similar incident does not happen again.

What Actually Happened?

The Review incorporates findings from the National Cyber Security Centre, which concluded that the leak resulted from repeated attempts to access the webpage hosting the EFO, rather than from a hostile cyber-attack.

The issue stemmed from a misconfiguration in the way the Office for Budget Responsibility (OBR) website had been set up. As a result, the webpage containing the report was accessible earlier than the OBR had intended. Individuals who correctly guessed the webpage address – based on the format of previous reports – were able to gain access.

The investigation found that approximately 520 of the 534 early access attempts were linked to just four IP addresses from the same internet provider. Investigators consider it reasonable to assume this activity originated from the same individual or organisation.

Those who obtained early access appear to have used social media platforms and messaging apps to circulate news of the availability. In total, the EFO was downloaded 24,701 times before the error was identified.

What Is Changing?

The OBR is scheduled to publish an EFO at the time of the Spring Forecast announcement on 3 March 2026. Historically, the OBR has released these reports via its own website, rather than through a central government platform, in order to preserve its independence.

However, given the market-sensitive nature of the information contained within the EFO, it will in future be published on GOV.UK by HM Treasury. HM Treasury has stated that this arrangement will not provide it with access to any information in advance that it does not already hold.

For future EFOs and other market-sensitive publications, the intention is that the OBR will transition to using GOV.UK as the publication platform.

In preparation for the 2026 Budget, which is expected to take place in the autumn, additional internal measures are set to be introduced to strengthen security and restrict data access.

To read the Budget Information Security Review in full, see: https://www.gov.uk/government/publications/budget-information-security-review