If anyone has an interest in the Data Protection side of this (just me maybe!) Morrisons' recent Supreme Court judgement could be relevant here. In that case a rogue employee ,who had been subject to a disciplinary, leaked online the payroll files of close to 100,000 staff.

Initially the ICO fined them and it was upheld at appeal but just a few weeks ago the Supreme Court overturned both decisions as it decided (probably fairly in the end) that a company cannot be held reasonably responsible for employees going rogue and committing criminal acts.

So in terms of any data protection enforcement it will all depend on if this document was hacked due to poor security or had been released as a deliberate act by someone with a grudge.