Really, who puts secure login codes for a government agency website on an unencrypted USB key? This is approaching a CSI level of computardation.
Although it didn’t result in the breach of, say, the UK’s secret UFO files (that would have been a coup), it has potentially exposed the tax, ticket, and financial records of some twelve million UK residents — not to mention the source code behind the site, potentially even more damaging. The passwords and critical info were “hidden using an industry standard technique which is difficult to break,” which I hope is more than ticking the “hidden” box in the file info.