Fraudster's dream: personal details of millions of families

It started with a bureaucratic oversight which might have gone unnoticed if the package and its sensitive contents had arrived at their intended destination.

It started with a bureaucratic oversight which might have gone unnoticed if the package and its sensitive contents had arrived at their intended destination.

On October 18, a junior official at HM Revenue and Customs' offices at Westview, near Washington in Tyne & Wear, dispatched two CDs containing a database of UK child benefit claimants, via TNT, the global courier firm used by HMRC.

The contents were dynamite. Described by security experts as a "fraudster's dream", the CDs contain details including names, addresses, dates of birth, Child Benefit numbers, National Insurance numbers and bank or building society account details of some 25 million people - around half the UK's population.

Its intended recipient, the National Audit Office (NAO) in London, was carrying out a routine audit of HMRC to examine issues including benefit fraud and efficiency. It had received the same data set in March for a previous audit.

But it was only when the package - unmarked and unregistered - failed to arrive that the explosive nature of its contents came to light.

By yesterday afternoon, the blunder had triggered major investigations by the Metropolitan Police, the English Information Commissioner, NAO, Financial Services Authority and Serious Organised Crime Agency (Soca) and led to the resignation of Paul Gray as head of HMRC. Further disciplinary action and criminal charges may follow.

But when the unnamed official was first told by officials at the NAO that the package had not arrived, on October 24, the immediate response was simply to send it again, this time using recorded delivery.

It was just over a fortnight later, on November 8, that managers were eventually told that the October 18 package had not turned up, sparking a major security alert. The assumption, sources said yesterday, was that it had simply been delayed because of the UK postal strike.

The first minister to be told of the error was Jane Kennedy, the Finance Secretary responsible for HMRC, who was informed on November 9. The next morning, a Saturday, she phoned her boss, Chancellor Alistair Darling.

Mr Darling immediately told the Prime Minister of the crisis and ordered an investigation, including searches of HMRC and NAO premises, as well as offices of the Department for Work and Pensions. One theory being examined was that the package had been sent to the wrong address.

Initially, there were causes for optimism. Those carrying out the search were experienced officials used to investigating major criminal operations. On November 12, HMRC said it had found evidence that might lead to the retrieval of the missing CDs.

But, sensing the scale of the crisis that was emerging, on November 14 the Chancellor ordered Mr Gray to call the Met, deciding the HMRC searches have failed. The next day he called information commissioner Richard Thomas, who agreed that remedial action should be taken before a full public statement was made.

With the crisis over Northern Rock still unfolding, Mr Darling was keen not to spark a further run on the banks and, over the ensuing week, maintained private dialogue with the FSA and Soca while informing banks and other financial institutions.

On Sunday the Chancellor spent the day preparing for statements on Northern Rock on Monday and the latest blunder yesterday.

Although the errant official who sparked the crisis may yet face official censure, the focus has shifted to further up the civil service command chain.

Although there is so far no evidence that the CDs have fallen into the wrong hands, security experts warned that, were they to do so, the passwords could be broken by hackers "within minutes".