Virgin Trains East Coast did not break data protection law when it released CCTV footage of Jeremy Corbyn looking for a seat on a train in August last year, the information watchdog has ruled.
But the operator "should have taken better care" to obscure other passengers' faces, according to the Information Commissioner's Office (ICO).
Virgin had "no reason to publish pictures of anyone else on the train" and this was a breach of the Data Protection Act, the ICO found.
The watchdog stopped short of formal regulatory action against the train firm to reflect "the exceptional circumstances of the breach".
Virgin released the picture after Mr Corbyn complained about a lack of seats on the busy service.
The so-called Traingate controversy began when Mr Corbyn was filmed sitting on the floor of a carriage and claiming he was unable to find a seat on the "ram-packed" service from London
to Newcastle in August last year.
Virgin then released CCTV footage showing the Labour leader walking past an array of empty seats.
Sir Richard Branson, who co-owns the rail operator with Stagecoach, got involved in the row by posting a link to the images on his Twitter account.
Mr Corbyn later insisted he had wanted two seats together so he could talk to his wife.
Explaining the decision not to take further action against Virgin, ICO head of enforcement Steve Eckersley said it was a "one-off incident" and the people identified "were unlikely to suffer
serious distress or detriment".
He insisted that the rail firm "has not been let off the hook" and will strengthen its data protection training as well as ensuring it has access to pixelation services should the need arise