Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?
He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel.
I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?
Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated
https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.