This bungle is incredible and deplorable. Given the obvious sensitivity of the data how was it not marked with a high classification marking which would have required it be kept off systems with open access to the internet and public email.
Also claiming this to be a cc/bcc cock-up is understating it - the lack of confidentiality in public emails is well established (akin to putting the message on a postcard). Why was this being sent by email in the first place? Presumably the sender also had a UK/MoD address - well that would arouse suspicions.
Several people deserve to be hauled over the coals on this one.