They were sent via HMRC internal mail .... but in these days of outsourcing, that proved to be TNT. Maybe it's a dedicated delivery, maybe not.
My view was that this stuff shouldn't have been sent over a courier service, but it shouldn't have been sent over a WAN either, let alone a internet connection.
This is a case where the mountain shouldn't have been posted to Mohammed, but rather Mohammed should have gone to the mountain. The data should not have left the secure building it was in. If the NAO want to audit it, they go to the data.
And the real issue is not that some pleb did this, or that he ignored procedure to do it, but that he had the physical access to the data to be able to do it.
One academic summed it up nicely on TV tonight (Newsnight I think) by referring to the government's intention to merge all NHS patient records into one big database. He pointed out that if your GP's surgery has 10,000 patient records, control is local, access is available to maybe a dozen or two staff in the surgery and the potential for disaster is controllable and limited to that 10,000 patients anyway.
But if you codify 60,000,000 patient's records and give access to 300,000 NHS employees, security becomes practically impossible. There's a certain advantage to hospital and doctors records being available nationally if you're taken ill away from home, but the potential for calamitous cockup expands hugely, let alone the scope for large-scale abuse. Personally, I do NOT want my medical data accessible to anyone outside my GP's surgery, and I'll risk the consequences of being taken ill elsewhere.
But this is typical of our current governments mania for the "one big system" solution, and for aggregating as much data about us all in one place as they possibly can. In a recent hospital visit, I was asked by the hospital if they could computerise the records (on this new national system). I refused, and they kept all records manually on paper instead, with a note that computerisation had been explicitly refused. The first step in preventing that data getting into the wrong hands is to restrict who has physical access to it, and if it's not on the computer in the first place, an unauthorised person at the other end of the country can't copy it onto a disc and lose it in the post.