It was a blunder that sent shockwaves through Westminster and the financial markets alike. On November 26, 2025, the Office for Budget Responsibility (OBR) unintentionally published its highly anticipated budget forecasts nearly an hour before Chancellor Rachel Reeves was due to unveil her first budget in Parliament. The mistake, which allowed journalists and the public to access sensitive economic projections well ahead of schedule, has since been described as a serious breach of protocol and has prompted an urgent internal investigation at the heart of the UK’s fiscal watchdog.
According to Reuters, the leak was not the result of sophisticated hacking or a coordinated cyberattack. Instead, it came down to something far more mundane: a predictable URL. The OBR had used a familiar web address structure for its Economic and Fiscal Outlook (EFO) document, simply updating the date from ‘March’ to ‘November’. With this small tweak, journalists were able to access and download the full PDF, exposing the government’s closely guarded budget plans almost 45 minutes before Reeves took to the Commons.
The first to break the story was Reuters, who, after successfully guessing the URL, published details that would soon dominate headlines. The leaked document laid bare some of the most consequential elements of Reeves’ budget, including the decision to freeze income tax thresholds until 2030, revised (and slower) economic growth projections, a new tax on electric vehicles, the scrapping of the two-child benefit cap, and the introduction of a so-called ‘mansion tax’. For MPs, market watchers, and the public, the news arrived not from the dispatch box, but from their phones and computers—upending the tradition that Parliament should hear budget details first.
The fallout was immediate. As reported by North Wales Live, the premature disclosure unleashed a wave of volatility in UK bond and currency markets, with traders reacting to the unexpected information dump. The breach also sparked uproar in Parliament, with lawmakers from all sides expressing concern about the integrity of the budget process and the potential for market manipulation.
OBR chair Richard Hughes was quick to address the scandal, issuing a public apology. “I was mortified by the mistake,” he admitted, according to North Wales Live. Hughes went further, stating that he would resign if he lost the confidence of Chancellor Reeves or the Commons Treasury Committee. The OBR, recognizing the gravity of the situation, immediately launched an internal investigation, enlisting the help of Professor Ciaran Martin, the former head of the National Cyber Security Centre (NCSC), to guide the inquiry. While some questioned the need for a cybersecurity expert—given that the leak was due to an administrative oversight rather than an attack—others saw it as a sign that the OBR was taking the breach seriously.
Chancellor Reeves, for her part, described the incident as a “serious breach of the protocol” and confirmed that she expected to receive the findings of the OBR’s investigation on December 1, 2025. Speaking to Sky News’ Sunday Morning With Trevor Phillips, Reeves refrained from speculating on Hughes’ fate, but said, “I have a huge amount of respect for both him and his organisation.”
Despite the embarrassment, the OBR was clear that there was no evidence of outside interference. As North Wales Live reported, the watchdog emphasized that the leak was not the result of hacking, but a simple failure to secure sensitive information—a reminder that, sometimes, the weakest link in cybersecurity is human error. “The frustrating thing is that this is easily avoided, but also easily done,” noted one commentator, highlighting the importance of basic digital literacy and secure document handling in an age where the stakes are so high.
The investigation, led by Professor Martin, was tasked with uncovering exactly how the error occurred and recommending steps to ensure it never happens again. The findings, due for release on December 1, were expected to address not just the technical aspects of the leak (such as the use of predictable URLs), but also the broader cultural and procedural shortcomings that allowed it to happen. For Hughes, the outcome would likely determine whether he remained at the helm of the OBR.
Meanwhile, the budget itself became the subject of heated political debate. In Parliament, Conservative leader Kemi Badenoch seized on the leak—and the budget’s contents—to launch a blistering attack on Chancellor Reeves. During her response in the Commons, Badenoch did not mince words, calling Reeves “spineless, shameless and completely aimless,” and adding, “People out there aren’t complaining because she’s female, they’re complaining because she is utterly incompetent.” The exchange, reported by North Wales Live, was emblematic of the heightened tensions that have come to define post-budget discourse in Westminster.
Reeves, for her part, told the BBC’s Sunday With Laura Kuenssberg programme that she was “uncomfortable” with the personal tone of Badenoch’s remarks. “I try to concentrate on policies rather than personalities,” Reeves said. “So, yes, I was a bit uncomfortable listening to that, because it’s not really the way that I behave, but people are entitled to deliver the Budget response that they want and she focused on personalities.”
Badenoch, undeterred, defended her approach. “My job is to hold the Government to account, not to provide emotional support for the Chancellor, and the people out there wanted someone to tell her she was doing a bad job, and I had to make sure that I got that message across,” she told the BBC. Badenoch further accused Reeves of “raising taxes to pay for welfare” and argued that the Chancellor “should resign.”
Beyond the political theatre, the OBR’s mishap has prompted wider reflection on the importance of information security in public institutions. As the world becomes increasingly digital, the risks associated with even the simplest administrative errors are magnified. The OBR’s experience serves as a cautionary tale for organizations everywhere: sometimes, it’s not the hackers you need to worry about, but the overlooked basics of online hygiene.
With the OBR’s investigation now concluded and its recommendations set to be published, all eyes are on whether the watchdog can restore trust—and whether its chair will survive the fallout. For the government, the lesson is clear: in an era of instant news and global markets, even the smallest slip can have consequences that reverberate far beyond Westminster.
