Aadhaar authentication is done not just through through use of biometrics (fingerprints and iris verification), but also either by matching the Aadhaar number with demographic attributes, or through a one-time password sent to a mobile number/email stored in the Central Identities Data Repository.
When Aadhaar numbers are published, along with demographic data and mobile numbers associated with the Aadhaar number, there is a possibility of fraudulent authentications on behalf of an individual.
Currently, Aadhaar numbers are thus being used both as an identifier (which get widely and publicly used), as well as for authenticator (which are best when confidential, such as passwords), and for authorizing transactions can increase the risk of identity fraud.
An impression has been created that Aadhaar and bank account numbers have been displayed on government websites due to temporary technical glitches. More likely, they have been visible for weeks if not months, in some cases at least.
The victims have no recourse under the Aadhaar Act since the UIDAI has reserved for itself the right to lodge complaints under the Act. Nor does the UIDAI have a legal duty to monitor these breaches of privacy.
What happens in such instances of data being negligently being displayed is we lose control over data/information that affects our lives. We do not know who will have access to it, and what they may use it for. Already ready availability of mobile numbers leads to small annoyances such as bulk SMSes (to reduce weight or buy property, etc).
A project that was supposed to help curb identity fraud is actually opening up many avenues for identity fraud.