It is a database protected by a password. It is NOT encrypted. Should take less time than it took to post this to extract all the data.
Binary data cannot be protected. It is impossible even if you throw amazing resources (think NSA here) at the problem. Even shared key systems (where several people/systems hold part of the key) don't work once you introduce people who aren't highly motivated to protect their part of the key. No system can survive key disclosure.
What happened here is clear to anyone with a passing familiarity with govt depts and, more importantly with the outsourced IT which each uses (HMRC is EDS). The poor sod that is being blamed for this
couldn't have written the CDs as people of his grade don't have logins which are capable of writing data to any removable source - CD/DVD/USB/Floppy. For this person to have done what is being claimed would have required privileges way way beyond that level. So we're left with either a totally compromised system (possible but not likely) or a manager who doesn't have the first idea of what he's doing and hands his password out so "minions" can do what he considers beneath himself.
This data
will get into the wild. If you have ANY passwords which have any combination of family names (kids/spouse) and/or birth dates then change them NOW. The govt has known about the breach for ten days. HMRC apparently knew about it for far longer - so the scuttlebutt goes right now. Really ladies - for statistically it is women who use family data in passwords - take a long hard look at all your passwords.
NOW.
NO2ID people -
please go support them even if its just by registering because what are you going to do if someone changes your biometric data? New eyeballs aren't an option. Being repeatedly shot in the head by the police when your biometric data "doesn't match" probably is an option