Can't comment on ICO compliance, but in terms of best practice, any organisation that I have worked for would regard displaying customer details to the wrong customer as a very serious incident.
I have always been advised that any data that uniquely identifies an individual is potentially sensitive. So a name on it's own, no problem. Name with address, potential issue.
"Oh, I can see Mr Smith of 10 Main Street is buying a dropper post and a load of disk pads. Hmm. I wonder what Mr Smith might have in his garage at 10 Main Street?"
Sure, your postie sees your Wiggle boxes being delivered, but there will be processes in place to mitigate that risk. I'm not suggesting that the company in this incident has been negligent. Things go wrong, and I'm sure they are doing their best to fix the problem (and may already have done so). Showing customer details to the wrong customer is still a serious incident for any company that takes its reputation seriously.