Lost in the post - 25 million at risk after data discs go missing. Bloody hell. Sounds like the HMRC's teches need some DPA training sharpish before any more of them get themselves sent down.

Why was someone able to do this anyway? Few of the places where I've worked with personal data were so lax.

Though there was that one time someone took a subset of production data to use for testing at a bank. For testing their credit agency reporting application. Naturally, someone screwed up, and the credit agencies ended up being send details of entirely fictitious unpaid debts for real people. Puts the famous Dear Rich Bastard story into perspective, doesn't it? (This was pre-DPA, so no one went to prison - they weren't even sacked!.)

Oh well, there's good advice here: HMRC Security Breach: What You Can Do to Protect Yourself From Us. "You should, without delay, change your date of birth."