Contact details of more than 170,000 Royal Dutch Shell employees and contractors have become public after a group claiming to be Shell staff concerned about the oil company's activities e-mailed them to eco and corporate activists.
Shell has confirmed the breach, but played it down, saying it was equivalent to stealing their business cards.
Corporate activist John Donovan, who received a copy of the contact list, said he destroyed it because the details could have threatened the safety of some individuals.
In correspondence published on Donovan's website, he said Shell's actions confirmed his view that the leaked data put the personal safety of some employees at risk.
He said he had confirmed the list was up-to-date by test-mailing a sample of the names on the list. None was returned as "undeliverable", he said.
Shell said the staff list was about six months old. This coincided with the period when Shell laid off about 5,000 staff. It recently announced plans to lay off a further 1,000.
A spokesman for the Information Commissioner's Office, which has regulatory responsibility for data breaches, said the ICO was "aware of the incident".
From 6 April, the ICO will have the power to levy fines of up to £500,000 on firms that are reckless with personal information. The ICO spokesman said that due to the timing Shell might escape such a sanction.
A spokesperson for Greenpeace said it was trying to establish whether any of its offices had received the documents, but could not comment at this stage.
Some 116 "concerned employees of Shell Oil" in the US, the UK and the Netherlands reportedly signed the e-mail.