Are we talking the print-out versions, or the original electronic?
If the latter, does it not beg the question of HOW they were obtained? And, would it also not validate the point the server security was a a sieve?
Exactly. This proves the server was hacked and sets an expectation for more. It’s a very dangerous situation for the hacker, having blackmail material at the ready.