This is very likely to be a breach of the law. The Data Protection Act relates to the handling (including the security) of personal data, which is essentially anything which can identify an individual. So it is very likely that an email address is personal data. It does not matter that the information is publicly available. All data controllers have a responsibility to ensure appropriate and proportionate security of the personal data they hold.
A breach of the Data Protection Act can result in enforcement action including a maximum ‘fine’ of £500,000. The Information Commissioner can also name and shame which may result in significant damage to reputation and brand.
In addition an individual has a right to claim compensation from an organisation if they have suffered damage because they have breached part of the Act.