LONDON It was a civil servant's simple mistake, but the consequences could be vast.
Two computer disks bearing addresses, bank account numbers and other details of about 25 million people almost half the British population were popped into internal government mail and never arrived.
The government says there is no sign the data have fallen into criminal hands. But technology experts and civil libertarians say the security lapse spotlights the risks we take in entrusting personal details to governments and large institutions.
"I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families," Prime Minister Gordon Brown told the House of Commons on Wednesday. "We have a duty to do everything that we can to protect the public."
The disks disappeared while being sent by internal mail from the tax and customs department to the government's audit agency. They contained names, addresses, birthdates, national insurance numbers and, in some cases, banking details for 25 million adults and children.
Treasury chief Alistair Darling said the disks held information on the 7.25 million families in Britain claiming a child benefit a tax-free monthly payment available to everyone with children. He said the delivery had not been tracked and the disks were missing for three weeks before the alarm was raised.
The disks were password protected, but the information on them was not encrypted.
Darling, who disclosed the breach to shocked lawmakers on Tuesday, called the lapse "catastrophic."
"I can well understand people's anxiety and anger that this has happened. It should never have happened, and I apologize unreservedly for that," Darling said Wednesday.
Technology experts said they could not recall a loss of data on this scale in Britain. They said it showed fundamental flaws in the government's plan to keep more information about citizens on centralized databases.
Projects in the works include a national medical records database and biometric identity cards for all citizens.
"It's impossible to control this much data," said Guy Hosein of watchdog group Privacy International. "Whenever you collect information and keep it centrally it will be abused, it will be lost."
Conservative Party leader David Cameron said the breach should make the government reconsider its ID cards plan.
"People are desperately worried about the privacy of their bank account details and their personal details," he told Brown in the House of Commons. "They will find it truly bizarre, they'll find it weird, that frankly you don't want to stop and think about the dangers of a national identity register."
Brown said the ID card plan would go head, with "the biometric support necessary so people can feel confident that their identity is protected."
Darling insisted there was no evidence criminals obtained the lost data, and said police were hunting for the missing disks. He said banks have been told to look for signs of suspicious activity.
Banks set up phone lines for worried customers, but reported only a trickle of calls.
Greg Day, an analyst at computer security company McAfee Inc., said people should keep a close eye on their bank accounts and consider changing easy-to-guess passwords such as children's names.
"We also need to be vigilant about making sure we don't hand out any more information in the initial panicked response to this," he said. "Cyber-criminals hook into topical activities as a method of trying to trick us."
The government rejected claims the lapse was a result of cuts at the revenue department, created from a merger of Inland Revenue and HM Customs and Excise into a single organization two years ago with the loss of thousands of jobs.
Darling, already rocked by fallout from the run on mortgage lender Northern Rock, said he would not resign. Brown said the Treasury chief was doing "an excellent job."
Brown said he has asked security experts to work with all government departments to check their procedures. He said Information Commissioner Richard Thomas would be given the power to carry out spot checks to make sure date was safe.
There have been several cases of major data theft from companies in the United States. TJX Cos., the operator of T.J. Maxx and Marshalls stores, disclosed in January that a data theft had exposed tens of millions of credit and debit cards to potential fraud.
"The difference is, this is information you are legally compelled to give to the government," said Privacy International's Hosein. "You are not compelled to be a customer of T.J. Maxx."