The Western Railways’ Mumbai division published the Aadhaar numbers, addresses and phone numbers of 20 people injured in a stampede on Elphinstone Bridge in central Mumbai in September in response to a Right to Information query asking for proof that they had received compensation, Huffington Post reported on Thursday. This is an offence under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016.

The railways provided the website with these details even through it had not asked for Aadhaar numbers or any other such sensitive demographic information in its plea. This information is enough to hack the bank accounts of those affected by the breach, the website claimed.

Huffington Post reached out to Chief Information Commissioner Radha Krishna Mathur, but he has not yet responded. Former Central Information Commissioner Shailesh Gandhi, however, was unperturbed by the breach. “I would actually laud the public information officer who gave you that information,” he told the website. “By that you can ensure that the data you have got is authentic. Aadhaar numbers by itself cannot be used to do anything.”

The Supreme Court is currently hearing a batch of petitions that challenge the constitutional validity of the Aadhaar programme, including privacy concerns and the provision in the law making it mandatory to link the identity number with various government schemes as well as mobile numbers, PAN and bank accounts.

In March, a New Delhi-based security researcher discovered a data leak on a system run by a state-owned utility company Indane that could reportedly allow anyone download private information of all Aadhaar holders.