implications for normal people
Implications for normal people are likely to be
- non-financial data: name, age, train travel history, phone number, email address
- financial data: minimal or not at all (IMO)
It's been ages since I booked a ticket on IRCTC, but purchases in India are almost never of the "merchant knows your credit card number and has to keep it safe" type. Most people use "Net Banking", where the merchant does not know anything. It's somewhat like how the initial authentication flow of OAuth works -- you get directed from the merchant to your bank, you login there, accept the payment, and you are then sent back to the merchant, except in this case the merchant does not even know your account number in the bank, though he does know *which* bank you went to.