State of SelectQuote Review

As I’ve said, I have given up SelectQuote customer records to the Secret Service.  This is a bit of a bummer.  Their position is that I ceased to be authorized to hold those records.  Mine is that since I was given the records after I no longer worked for SelectQuote, and signed no agreement, there were no provisions to revoke my right to the data.

That might make for an interesting legal argument, if I weren’t the one facing pretrial detention and confiscation of my computers.  So I have lost the marketing angle of sending out data breach notification emails.  It is unclear how well those would have gone over anyway.  By cooperating with authorities, there is less chance of a public relations backfire.

Bob Edwards came to my workplace to talk the same kind of turkey he did before the well-oiled set-up that ran me out of SelectQuote Insurance Services.  This, along with the position of the Secret Service, would seem to indicate that everyone admits that a breach has taken place.  This places responsibilities upon SelectQuote, such as notification of affected customers.

Meanwhile, criminal matters ensnaring employees, and labor issues continue to dog SelectQuote Senior in Kansas City.  Another case of online impersonation of an ex-SelectQuote employee popped-up.  Impersonation was once again tried with me.

Turned Over SelectQuote Data

I have turned over SelectQuote’s customer records, given me while I was no longer working there, to the Secret Service.  So, you won’t be receiving emails.  I do still assert that California’s laws for disclosure of a data breach gave me a right to notify California citizens, at the least.

But arguing that the law was on my side and their side is not really a battle I wish to fight.  Their position seems reasonable, and they were professional.  Frankly, if it weren’t for Michelle Tan threatening to kill my daughter, I wouldn’t tread this far out on the ice.

I’m not going to lose my computers and face pretrial detention, just to send data breach notification emails.  Beyond those emails, I see no reasonable right to that data anyway.  While companies share your data all the time, in theory you normally have some inkling of this.  Between lawyers, you probably let SelectQuote do whatever they want with your data, and they gave it to me.

Visit From SelectQuote Executive

I received a visit at CollabNet on Friday from an executive at SelectQuote Insurance Services.  He claimed to be coming  as a friend, to suggest I retain competent legal counsel before attempting to contact any SelectQuote customers.  That non-commercial notification of unauthorized disclosure of personal data might be a problem, despite no limitations on the use of said data when given to me by SelectQuote.

It is possible.  Our laws are a mess.  Always added, rarely removed, overlapping in scope, even when not a matter of different state jurisdictions.  For example, asking about arrests that did not lead to conviction in California was illegal before “ban the box“, but the prior attempt was considered to not have an effective means of enforcement.

Common English meanings of words are arbitrarily redefined.  California prohibits ‘sniper scopes’.  Is this any rifle optics.  Only scopes with mil-dot measurements (as snipers use trigonometry).  No, this law regulates night vision equipment.  Similarly, in some contexts a weapon must be on a strictly enumerated list of arcane fight implements to be considered ‘deadly’.

It’s as if politicians got together and decided the people’s ability to read laws was giving too much clarity into what is prohibited.  So they just started using a new language that looks like English to throw in some surprises.

In this miasma, companies with their great resources have a distinct advantage.  Regular people can’t pay to get every decision looked over by a lawyer.  If my planned course of action does face legal trouble, a company will have found a way to use the law to block disclosure of a breach of personal information, hardly the use case we want to promote.Bob Edwards

Positives of Revealing SelectQuote’s Carelessness Now

SelectQuote Review has been reporting on problems at SelectQuote Insurance Services since 2011.  At first glance, it might appear unfortunate that I overlooked some effective ammunition in my possession in the form of customer data given to me by SelectQuote, without any sort of agreement in place between us.  No use crying over spilled milk, but not finding that data until now has some significant upside.

    • It’s easy to see that I did not hack in to get this data.  SelectQuote is willing to set me up to silence my reporting here at SelectQuote Review.  An old copy of the test database is obviously something given to me without checking first that production record aren’t mixed in with the test data.  I also recovered a picture of the IT Director’s wife in the bathtub, but the nature of the data I have is more to the point.
    • SelectQuote’s impersonation attempts understated my experience, so they may be trying to portray my experience with them as typical for me.  Having a few more years working as a software engineer conclusively shows that they’re the exception.  Also, impersonation of another ex-employee, and prosecution of San Francisco police officers in my neighborhood show that at the very least SelectQuote new I was being messed with, and some employees jumped on with gaslighting.  These circumstances warrant extra controls on customer data, so this was a legitimate leak.
    • Some of SelectQuote’s best leads are calls to existing customers.  During the level term period on a life insurance policy, an agent will probably call about locking in some new rate to start the term over, or converting to another kind of policy.  Just because the data is dated doesn’t mean these records won’t be back in the sales pipeline

    Timing of Leak Notifications

    If you have used SelectQuote’s website to get a quote for term life insurance before 2011, you are probably affected by a leak of customer data.  You may not receive notification for some time, because I’m not familiar with mail merge or mass email marketing tools.  I do not want to get flagged as a spammer.  As well, if SelectQuote could cover-up the loss of customer data by accusing me of violation of the CAN-SPAM Act or similar statute, they would.

    Local police are in their pocket, so who knows who else is on the payroll?  Therefore, notifications will be coming out slowly.  Since I really don’t want to hit the same addresses multiple times, I’m going to look for maximum gain with each email.  So I’ll most likely be looking to get MX records pointing somewhere where there are some list management and opt-out tools available.

    Currently my domain MX records point to Google Apps, and their 500 a day limit is probably fine, but I think there may be some better tools from one of my hosting providers.  I’m willing to trickle out notifications, it’s your data, not mine, but I want as much of this list management done for me as possible.  I’m not selling Viagra here, most people sending mass email are getting paid for their trouble.

    SelectQuote Customer Data has Leaked

    It sure is frustrating trying to figure out what can open an old Microsoft database back-up file, especially when your newer operating system wants a newer database engine.  I’ve gotten past that, and I’m looking at the database restore.  A whole lot of test cases in there, but a bunch of what looks to be real live web customers of SelectQuote.

    You’d kind of expect that you wouldn’t want your customer list in the hands of a guy who is mad because you threatened to kill his daughter.  Doesn’t speak well for data security at SelectQuote.  Web submissions after 2010 are not impacted, this back-up file was on a disk I received from SelectQuote in 2011.

    Well, I’ll need to put up some kind of informational page, and decided how I begin notifying of the data breach.  No need to get these people too alarmed.  They just need to understand that when they are talking to SelectQuote, they are talking to the public at large.

    Possible Exposure of SelectQuote Data

    If you’re a SelectQuote customer, the good news is the leak was to me, albeit after I no longer worked with SelectQuote.  Nor would any of these records contain credit card information, or information you gave to A SelectQuote agent over the phone.  Just information entered into the website.

    Recovery has not been straightforward, and many records will be test data.  I realized that there is enough data that it is most likely not scrubbed.   Getting the data looks tedious but doable.  I will not sell people’s height, weight, age, or tobacco usage.  I won’t bother to decode information on major illnesses or family medical history.

    Rather, I intend to sample the data to find out how many records represent real people with valid contact information.  I will then send email to anyone affected that their data is being retained simply to show law enforcement in case they think I hacked in.  And to point out that security isn’t anyone’s primary job, the company does have a history of bad splits with employees, and few to no safeguards against inside jobs.

    Hope for Change at SFPD Short Lived

    One might hope that recent misconduct investigations would change behavior within the San Francisco Police Department.  But now, an attorney isn’t even allowed to represent her client.  A member of the public defender’s office was arrested by Southern Station officers for informing her client of his rights (from the Mercury News):

    The two videos showing Tillotson’s detainment were shot by other attorneys, according to the public defender’s office.

    The videos show San Francisco police Inspector Brian Stansbury, who is among the officers facing a lawsuit filed by a black San Francisco police officer in federal court that claims he was racially profiled during a traffic stop and then allegedly choked and tackled to the ground by officers in May 2013.

    In the video, Tillotson repeatedly tells Stansbury and other officers, “I am representing my client here.”

    Stansbury tells the two males being detained that he needs to take their photographs and tells Tillotson that if she doesn’t step aside she will be arrested.

    Stansbury then handcuffs Tillotson and places her under arrest and she is then led away from her client.


    Additional SFPD Corruption Case Delayed

    A third San Francisco police officer was originally charged in the illegal searches at the Henry Hotel.  There are reports that Raul Elias may not face trial until July, and may go to pretrial diversion instead.  From SFBay:

    A third officer who participated in the Jan. 5, 2011, search, Raul Elias, was charged with conspiracy to violate civil rights and deprivation of civil rights in connection with that search. But the deprivation charge was dropped and Elias’s trial on the remaining conspiracy charge has been put on hold while he is evaluated for a pretrial diversion program, according to court records.

    For those wondering, even were a police report not a sworn document (making falsification felony perjury) falsification if a wobbler (can be punished as misdemeanor or felony) under state law.  Of course, in practice a cop can do almost anything he wants to do.  But these safeguards are in place because no one should believe a cop is impartial.

    They mainly deal with criminals, often at risk to their own safety.  So if something looks out of the ordinary, they are probably going to assume everyone involved is a crook.  If they are allowed to simply manufacture evidence to match their suspicions, there is no way to give the accused a fair trial.