Home / Blog / New HMRC users go digital, a Safeguarding podcast is launched, and how last year’s budget was leaked

New HMRC users go digital, a Safeguarding podcast is launched, and how last year’s budget was leaked

Today we discuss HMRC’s move to digital services for new users, DBS launch a brand new podcast aimed at those of us responsible for safeguarding, and we divulge how last year’s budget was leaked.

HMRC Moves to GOV.UK One Login for New Users

HM Revenue & Customs has started using GOV.UK One Login for taxpayers signing up to its digital services for the first time.

This means that if you do not already have a Government Gateway account, you will now register using an email-and-password login rather than needing to obtain a 10-12 digit Government Gateway ID.

For now, this only affects new HMRC users. Existing Government Gateway users do not need to switch yet.

Even if you already have a GOV.UK One Login that you use for another government service, you will still need to use your government gateway to access HMRC’s services for the time being.

HMRC plans to roll out GOV.UK One Logins gradually and will contact existing users when it is ready for them to move over.

Eventually, GOV.UK One Logins will become the single login for everything from filing a tax return to renewing a passport.

If you need help registering for or accessing HMRC services, please contact us. We will be happy to help you! See: https://www.gov.uk/government/news/hmrc-introducesgovukonelogin-for-new-customers

DBS Launches New Safeguarding Podcast for Employers

The Disclosure and Barring Service (DBS) has launched a new weekly podcast series, ‘DBS discussions: Safeguarding in Focus,’ aimed at employers, HR teams and anyone working in safeguarding.

Each episode of the podcast features a DBS specialist explaining how key DBS processes work in practice. Topics will include:

How DBS checks fit into recruitment.
Common questions from employers.
Clarity on eligibility and regulated activity.
How barring decisions are made.
The role DBS plays in wider safeguarding.

The first episode was released on 9 February 2026, and introduced the function of DBS and the impact of checks in recruitment.

New episodes will be available each week on Spotify, Amazon and YouTube.

New Detail Published on How Last Year’s Budget Leak Unfolded

The government has now published its Review into the 2025 Autumn Budget leak, explaining how the Office for Budget Responsibility’s Economic and Fiscal Outlook (EFO) was accessible online an hour before the Chancellor was due to speak.

The Review sets out measures that will be taken to prevent this from happening again.

What actually happened?

The Review incorporates findings from the National Cyber Security Centre’s investigation, which found that the leak was a result of repeated attempts to access the webpage holding the EFO, rather than a hostile cyber-attack.

The fault lay in a misconfiguration in the way that the OBR’s website was set up. This meant that the webpage holding the report was accessible earlier than the OBR intended. Users who guessed the webpage address correctly based on previous reports were able to access the report.

The investigation found that around 520 of the 534 early access attempts were linked to just four IP addresses from the same internet provider. Investigators believe it is reasonable to assume this was the same individual or organisation.

The one or more individuals who secured early access seem to have then used social media and messaging apps to spread word of the early access. In all, the EFO was downloaded 24,701 times before the mistake was noticed.

What is changing?

The OBR is due to publish an EFO at the time of the Spring Forecast announcement on 3 March 2026. Historically, the OBR has published these reports on its own website rather than a government website in order to maintain its independence.

However, because of the sensitivity of the information contained in the EFO, it will be published on GOV.UK by HM Treasury. HM Treasury has commented that doing this will not give it access to any information ahead of time of which it is not already aware.

For future EFO and other market-sensitive publication releases, it is planned that OBR will move to using GOV.UK.

In readiness for the 2026 Budget, likely to be held in the autumn, there are plans to bring in other internal measures that will enhance security and limit data access.

To read the Budget Information Security Review in full, see: https://www.gov.uk/government/publications/budget-information-security-review

Service	Name	Purpose	Expires
	PHPSESSID	This cookie stores a visitor's unique, randomly generated, session id and is used to pass information between site applications to enable them to function correctly. It is forcibly expired when the user closes the browser.	Expires on browser close
	nc_status	This cookie is used to optimise website traffic and distribution of services.	1 day
	nc_sid	This cookie is used to optimise website traffic and distribution of services.	Expires on browser close
	cookie_analytics	This cookie is used to define the option to enable or disable analytic and marketing cookies used for the website.	1 month
	ow_ac	This cookie is used to define whether cookiebar is displayed or not.	1 month
WordPress	wordpress_sec	This cookie stores a visitor's unique, randomly generated, session id and is used to pass information between content management system called WordPress to enable it to function correctly. It is forcibly expired when the user closes the browser.	Expires on browser close
WordPress	wordpress_logged_in_xxxx	Creates a session of the user currently logged into the website through the WordPress login page. This expires upon browser close.	Expires on browser close
WordPress	wp-settings-x	Wordpress sets a few wp-settings-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. This cookie is only applied to persons logging into the website through WordPress.	Expires on browser close
WordPress	wp-settings-time-x	Wordpress sets a few wp-settings-{time}-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. This cookie is only applied to persons logging into the website through WordPress.	Expires on browser close
WordPress	_icl_current_language	This cookie allows the built in WordPress Multilanguage plugin, to store the user’s current language. This is critical for allowing the site to function properly.	1 day
WordFence	wfwaf-authcookie-(hash)	This cookie is used by the Wordfence firewall to perform a capability check of the current user before WordPress has been loaded. This cookie will only be applied for users who have logged into the website.	Expires on browser close
Litespeed	_lscache_vary	This cookie allows Litespeed to store the user’s login status, the role of current user and if it has admin bar showing or not.	2 days
Litespeed	ls_smartpush	This cookie allows Litespeed to store server settings to help with performance.	2 days

Name	Purpose	Expires
_ga	This helps us count how many people visit by tracking if you’ve visited before.	2 years
_gid	This helps us count how many people visit by tracking if you’ve visited before.	24 hours
_gat_irisOpenWebsite	This helps IRIS Software Group, the developer of the website, to monitor site performance for . The data collected is anonymous and is only used for analysing website performance overall.	24 hours
_gat	This is used for managing the rate at which page view requests are made.	Expires on browser close