Have you published to the web with Instant or Custom web publishing? If Custom, what method PHP? XML? or...?
They used Instant Web Publishing. Looks like the app is running on apache tomcat/servlets. It also seems like these users all exceeded the session timeout threshold and then were revealed somebody else's data in the form. Really weird...
You might investigate this acknowledged bug: Problems datasecurity using browser buttons together with IWP
This is one of many acknowledged bugs that can be found in the Known Bug List thread here in the Report an Issue section of the forum.
It can also be downloaded as a database file from: http://www.4shared.com/file/8orL8apk/FMP_Bugs.html