HM Revenue and Customs is investigating the loss of sensitive financial data concerning clients of wealth management firm UBS Laing & Cruickshank.
The data on owners of personal equity plans (Peps) was on a CD-Rom, and would not have been protected by encryption as HMRC does not allow institutions to submit encrypted data in this area of its work.
"We are not sure it is the best way to receive information in this area at the moment," HMRC said. Other areas of the HMRC's work, such as the self-assessment online service, do use encryption.
"HMRC will work with our IT providers CapGemini to explore how best to safeguard the integrity of the information provided," a spokeswoman said.
The disc, containing confidential data on UBS customers, went missing from a Revenue office in Wales, an HMRC spokesman said.
Ian Brown, computer security researcher at University College London, said both HMRC and organisations filing with it, "should be insisting data like that is encrypted, rather than that it isn't."
He added: "You would have to question whether they have broken the Data Protection Act by not taking care of that sort of data.
Mac Macmillan, IT and data protection specialist at law firm Lovells, said, "If they've lost the CD, it seems likely that they were failing to take appropriate measures to prevent it being lost. But at this stage we don't know."
The Information Commissioner's department said, "We'd obviously take this very seriously, but we can't say whether a breach has occurred."
HMRC said, "This is a one-off incident in a single office which receives thousands of pieces of post per week."