The leak came from a third party ID/age verification service for a regulated substance in a heavily regulated region. I think there's a good chance that they're under various regulatory/KYC type laws that would make holding onto user data mandatory. One practical scenario where this would come into play is if they were suspected of intentionally accepting fraudulent credentials, basically acting like a fake ID service for hire. In that case authorities would want to be able to see all data that they were basing acceptance on.