Hate to burst people's bubble here on the privacy of email addresses, but it's routine at universities to have open, relatively unprotected LDAP directories or even web listings. That said, under Canadian PIPEDA (privacy laws), email addresses are considered personal information, so this would be a severe breach... As are all the times I get CC'd a bulk email rather than BCC'd.
