The disc did not contain bank account details. It had data relating to how much insurance cover the 370,000 had with the bank, their name and birth date.
This is a stupid way to transfer data, and they will undoubtedly be fined. The bank will be liable if any fraud takes place that is connected with the lost CD.
It may be slightly worrying for the 370,000 but in the immediate instance. The rest of us should be concerned that the big banks and government agencies are not taking security seriously enough. Fines and bolloxing by the authorities might help focus their minds.