There's absolutely no reason for it to have been done. That type of information should only be available to pre-approved, secured email addresses. And that certainly should be a company.com address, not gmail.com.
The only plausible "excuse" would be that an employee decided to take a shortcut thinking that no harm would be done (and no one would know) and had a "oh f*ck!" realization when it went to the wrong address (and don't they wish they were using GMail with Undo!). This is still unacceptable. If it was a common and accepted practice, it's inexcusable.
The only plausible "excuse" would be that an employee decided to take a shortcut thinking that no harm would be done (and no one would know) and had a "oh f*ck!" realization when it went to the wrong address (and don't they wish they were using GMail with Undo!). This is still unacceptable. If it was a common and accepted practice, it's inexcusable.