From the Associated Press via The Washington Post (http://www.washingtonpost.com/world/europe/greek-police-arrest-man-on-suspicion-of-theft-of-9-million-personal-data-files-on-greeks/2012/11/20/72dc5c64-331a-11e2-92f0-496af208bf23_story.html)
The report cites a 9 million record value and notes that Greece currently has a population of around 10 million (WolframAlpha tells me that the 2010 estimate is 11.2M.) The WP article also wisely notes that 9M value is from a data-file that hasnt been de-duplicated.
This number is expected to down-- possibly drastically, depending on the time periods covered by the data (this is me guessing now.) For example if the 9M records covered 9 years, there could be an overlap for every year reducing the file down to 1M (still pretty bad.) Once youve reduced the data down to the Name/Address/Tax-ID number triples youre still not done. Typographical errors will have to be dealt with, and the possibility of Tax-ID number re-use.
The interesting questions are of course: where did these data come from and how did the man access them? Lessons Learned reports arent very effective if theyre kept internally. However it is reasonable to expect to wait until after the trial for those reports to become public.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.