If an employee has used the data incorrectly or inappropriately then the company are at fault and are liable for the breach. There have been plenty of firms fined for staff losing laptops, etc.
If the person sending these mailshots is a former employee, that is even worse, as access to the systems should have been prevented the day they left the company.
Of course the person sending the mailshots has an ulterior motive, but given First Capital Connect's treatment of their customers throughout the years, this is hardly a surprise. FCC are notorious for using intention to prosecute letters to extract more money from innocent people than they can get from a penalty fare. It looks like this mailshot is payback for that, from person(s) unknown.
As for the reason why FCC hold this data, that actually makes this breach MORE serious than if their telemarketing database had been breached. This type of data, along with data regarding health and financial issues, should be held at only the highest level of security. The fact you can log on to this website on a non-FCC machine goes against most of what I've been taught about data protection in my job.