From the Associated Press via The Washington Post (http://www.washingtonpost.com/world/europe/greek-police-arrest-man-on-suspicion-of-theft-of-9-million-personal-data-files-on-greeks/2012/11/20/72dc5c64-331a-11e2-92f0-496af208bf23_story.html)

The report cites a 9 million record value and notes that Greece currently has a population of around 10 million (WolframAlpha tells me that the 2010 estimate is 11.2M.)  The WP article also wisely notes that 9M value is from a data-file that hasn't been de-duplicated. 

This number is expected to down-- possibly drastically, depending on the time periods covered by the data (this is me "guessing" now.)  For example if the 9M records covered 9 years, there could be an overlap for every year reducing the file down to 1M (still pretty bad.)  Once you've reduced the data down to the Name/Address/Tax-ID number triples you're still not done.  Typographical errors will have to be dealt with, and the possibility of Tax-ID number re-use.

The interesting questions are of course: "where did these data come from" and "how did the man access them?"  Lessons Learned reports aren't very effective if they're kept internally.  However it is reasonable to expect to wait until after the trial for those reports to become public.