Logically and there are two extremes which might describe SelectQuote’s awareness of risk involving customer data, before I reported on their data breach. One, they were caught completely flat-footed. Two, they knew I had the data, but since I did not accept contract work with them, they took the chance that I would never uncover the data. Reality could be somewhere in between, if they suspected, but weren’t sure.
Even though they seemed to spring into action quite quickly after my report, it is possible that they took everything I reported at face value and simply reacted. This is problematic because it indicates that they really don’t know who has customer data. SelectQuote has resources in other countries and especially after my departure they would have needed to supplement their staff with outside firms.
Not to say foreign developers can’t be trusted, but even in the best of times there are different protections in their area, and it is harder to bring someone to justice when there are multiple jurisdictions involved. Their government might require them to hand data over, just like ours does. Depending on the political situation, personnel may not feel physically safe enough to say no if a local crime lord pressured them for the records.