An estate agent has apologised after a 3D tour of a house for sale in Devon was published with a substantial amount of personal information visible.Financial paperwork in the study could be read by zooming in on the image.It included a shares dividend cheque, an insurance policy document and an invoice for a stairlift. Some family photos had also been left unblurred.
Fowlers estate agent said the private data in the virtual tour had “slipped past” its staff and the home owner.The house was available on the property platform Rightmove, and appears to have been live since October 2020. Additional stills photographs of the property showed empty rooms.
The firm’s owner Philip Fowler told the Media that his company had withdrawn the 3D tour along with all of its others for further review and said the estate agent “takes our clients’ privacy very seriously”. The owner of the home had given “verbal permission” for the video to be used, he added.
He also said that people choosing the 3D tour to help sell their properties were advised to put away sensitive material before the photos were taken.
Other identifiable data about the home-owners in the property included the names of their pets on a photograph (pet names are commonly used as passwords), clues about their political views based on their choices of reading material, and their health – an asthma inhaler was visible in one of the bedrooms.
Journalists alerted the Information Commissioner’s Office.
The video was discovered by Carole Theriault, co-host of the Smashing Security podcast, who said she was “gobsmacked” by the amount of personal information on display.
“There is way too much information on show for anybody watching the 3D virtual tour to see,” she said.
“It’s a treasure trove of private data – a veritable goldmine for identity thieves, phishers, you name it.”
3D tours have become more popular for house-sellers, especially during the pandemic.
Carissa Veliz, author of Privacy is Power, said the estate agent should have taken more care.
“We are much better at collecting personal data than we are at keeping it safe, but if we can’t keep it safe, we shouldn’t be collecting it in the first place,” she said.