How as this even possible?
Assuming that the "loser" of the USB drive was the one who complied it, HOW were they able to export sensitive data like this? I am of course taking the re-reported word of the Sunday Mirror, but lets go with that for the time being.
There should be at least two people joining the search for new employment, because there either weren't IT safeguards in place, or they didn't work, or the resulting alerts weren't acted on by management.