Home Information Packs Give Away Sensitive Data

Home Information Packs (HIPs) were introduced in England & Wales last year to provide information up front to potential house purchasers. These documents contain sensitive information and many are freely available on property and estate agents' web sites.

A friend is considering buying a property and they were provided with a link by the estate agent to download the HIP from a web site. He mis-typed the address and to his surprise got access to the HIP report for another property. The HIP provider "protected" the documents with a number, but it was incremental so simple to find another one, and in any case some had been indexed by search engines, even though it was in some sort of "admin" area.

HIPs contain the sale statement, local searches, evidence of title, an energy performance certificate and advice on how to cut fuel bills and CO₂ emissions. Leasehold property HIPs will also contain a copy of the lease and optionally regulations/rules that apply, recent service charge summaries or statements, recent claims for payments and insurance, the name and address of the lessor, details of any managing agent and details of any works in progress. Similarly commonhold HIPs will have the commonhold community statement and optional items similar to those for leasehold properties.

If there is a mortgage on the property, the name of the mortgage holders and the mortgage company will be shown:

It's not a great leap to guess which building society their current account may be held with. Isn't this all the information that could be used for identity impersonation (also called "identity theft")?

But it seems that these documents aren't meant to be private... some property web sites allow you to download the reports without any authentication of who you are.

I'm not sure how much thought has gone into protecting the seller's personal information and there are large differences between how the various HIP providers and estate agents are allowing access. In May 2007 a question was asked about the security of personal identity in the House of Commons but in a written answer, it was stated the Home Office Identity Theft Unit were satisfied that "...Home Information Packs do not pose a significant risk...". The Home Information Pack (No.2) Regulations 2007 Explanatory Memorandum and Procedural Guidance make interesting reading. There appears to be potential for restricting access and obligations on those providing the reports.

Like other web-enabled processes, estate agents, HIP providers and solicitors need to consider their customer's data security, as well as their own. I'd like to see more thought put into the issue.