Turned Over SelectQuote Data

I have turned over SelectQuote’s customer records, given me while I was no longer working there, to the Secret Service.  So, you won’t be receiving emails.  I do still assert that California’s laws for disclosure of a data breach gave me a right to notify California citizens, at the least.

But arguing that the law was on my side and their side is not really a battle I wish to fight.  Their position seems reasonable, and they were professional.  Frankly, if it weren’t for Michelle Tan threatening to kill my daughter, I wouldn’t tread this far out on the ice.

I’m not going to lose my computers and face pretrial detention, just to send data breach notification emails.  Beyond those emails, I see no reasonable right to that data anyway.  While companies share your data all the time, in theory you normally have some inkling of this.  Between lawyers, you probably let SelectQuote do whatever they want with your data, and they gave it to me.

Visit From SelectQuote Executive

I received a visit at CollabNet on Friday from an executive at SelectQuote Insurance Services.  He claimed to be coming  as a friend, to suggest I retain competent legal counsel before attempting to contact any SelectQuote customers.  That non-commercial notification of unauthorized disclosure of personal data might be a problem, despite no limitations on the use of said data when given to me by SelectQuote.

It is possible.  Our laws are a mess.  Always added, rarely removed, overlapping in scope, even when not a matter of different state jurisdictions.  For example, asking about arrests that did not lead to conviction in California was illegal before “ban the box“, but the prior attempt was considered to not have an effective means of enforcement.

Common English meanings of words are arbitrarily redefined.  California prohibits ‘sniper scopes’.  Is this any rifle optics.  Only scopes with mil-dot measurements (as snipers use trigonometry).  No, this law regulates night vision equipment.  Similarly, in some contexts a weapon must be on a strictly enumerated list of arcane fight implements to be considered ‘deadly’.

It’s as if politicians got together and decided the people’s ability to read laws was giving too much clarity into what is prohibited.  So they just started using a new language that looks like English to throw in some surprises.

In this miasma, companies with their great resources have a distinct advantage.  Regular people can’t pay to get every decision looked over by a lawyer.  If my planned course of action does face legal trouble, a company will have found a way to use the law to block disclosure of a breach of personal information, hardly the use case we want to promote.Bob Edwards

Positives of Revealing SelectQuote’s Carelessness Now

SelectQuote Review has been reporting on problems at SelectQuote Insurance Services since 2011.  At first glance, it might appear unfortunate that I overlooked some effective ammunition in my possession in the form of customer data given to me by SelectQuote, without any sort of agreement in place between us.  No use crying over spilled milk, but not finding that data until now has some significant upside.

    • It’s easy to see that I did not hack in to get this data.  SelectQuote is willing to set me up to silence my reporting here at SelectQuote Review.  An old copy of the test database is obviously something given to me without checking first that production record aren’t mixed in with the test data.  I also recovered a picture of the IT Director’s wife in the bathtub, but the nature of the data I have is more to the point.
    • SelectQuote’s impersonation attempts understated my experience, so they may be trying to portray my experience with them as typical for me.  Having a few more years working as a software engineer conclusively shows that they’re the exception.  Also, impersonation of another ex-employee, and prosecution of San Francisco police officers in my neighborhood show that at the very least SelectQuote new I was being messed with, and some employees jumped on with gaslighting.  These circumstances warrant extra controls on customer data, so this was a legitimate leak.
    • Some of SelectQuote’s best leads are calls to existing customers.  During the level term period on a life insurance policy, an agent will probably call about locking in some new rate to start the term over, or converting to another kind of policy.  Just because the data is dated doesn’t mean these records won’t be back in the sales pipeline

    Timing of Leak Notifications

    If you have used SelectQuote’s website to get a quote for term life insurance before 2011, you are probably affected by a leak of customer data.  You may not receive notification for some time, because I’m not familiar with mail merge or mass email marketing tools.  I do not want to get flagged as a spammer.  As well, if SelectQuote could cover-up the loss of customer data by accusing me of violation of the CAN-SPAM Act or similar statute, they would.

    Local police are in their pocket, so who knows who else is on the payroll?  Therefore, notifications will be coming out slowly.  Since I really don’t want to hit the same addresses multiple times, I’m going to look for maximum gain with each email.  So I’ll most likely be looking to get selectquotereview.com MX records pointing somewhere where there are some list management and opt-out tools available.

    Currently my domain MX records point to Google Apps, and their 500 a day limit is probably fine, but I think there may be some better tools from one of my hosting providers.  I’m willing to trickle out notifications, it’s your data, not mine, but I want as much of this list management done for me as possible.  I’m not selling Viagra here, most people sending mass email are getting paid for their trouble.

    SelectQuote Customer Data has Leaked

    It sure is frustrating trying to figure out what can open an old Microsoft database back-up file, especially when your newer operating system wants a newer database engine.  I’ve gotten past that, and I’m looking at the database restore.  A whole lot of test cases in there, but a bunch of what looks to be real live web customers of SelectQuote.

    You’d kind of expect that you wouldn’t want your customer list in the hands of a guy who is mad because you threatened to kill his daughter.  Doesn’t speak well for data security at SelectQuote.  Web submissions after 2010 are not impacted, this back-up file was on a disk I received from SelectQuote in 2011.

    Well, I’ll need to put up some kind of informational page, and decided how I begin notifying of the data breach.  No need to get these people too alarmed.  They just need to understand that when they are talking to SelectQuote, they are talking to the public at large.

    Possible Exposure of SelectQuote Data

    If you’re a SelectQuote customer, the good news is the leak was to me, albeit after I no longer worked with SelectQuote.  Nor would any of these records contain credit card information, or information you gave to A SelectQuote agent over the phone.  Just information entered into the website.

    Recovery has not been straightforward, and many records will be test data.  I realized that there is enough data that it is most likely not scrubbed.   Getting the data looks tedious but doable.  I will not sell people’s height, weight, age, or tobacco usage.  I won’t bother to decode information on major illnesses or family medical history.

    Rather, I intend to sample the data to find out how many records represent real people with valid contact information.  I will then send email to anyone affected that their data is being retained simply to show law enforcement in case they think I hacked in.  And to point out that security isn’t anyone’s primary job, the company does have a history of bad splits with employees, and few to no safeguards against inside jobs.

    Hope for Change at SFPD Short Lived

    One might hope that recent misconduct investigations would change behavior within the San Francisco Police Department.  But now, an attorney isn’t even allowed to represent her client.  A member of the public defender’s office was arrested by Southern Station officers for informing her client of his rights (from the Mercury News):

    The two videos showing Tillotson’s detainment were shot by other attorneys, according to the public defender’s office.

    The videos show San Francisco police Inspector Brian Stansbury, who is among the officers facing a lawsuit filed by a black San Francisco police officer in federal court that claims he was racially profiled during a traffic stop and then allegedly choked and tackled to the ground by officers in May 2013.

    In the video, Tillotson repeatedly tells Stansbury and other officers, “I am representing my client here.”

    Stansbury tells the two males being detained that he needs to take their photographs and tells Tillotson that if she doesn’t step aside she will be arrested.

    Stansbury then handcuffs Tillotson and places her under arrest and she is then led away from her client.


    Additional SFPD Corruption Case Delayed

    A third San Francisco police officer was originally charged in the illegal searches at the Henry Hotel.  There are reports that Raul Elias may not face trial until July, and may go to pretrial diversion instead.  From SFBay:

    A third officer who participated in the Jan. 5, 2011, search, Raul Elias, was charged with conspiracy to violate civil rights and deprivation of civil rights in connection with that search. But the deprivation charge was dropped and Elias’s trial on the remaining conspiracy charge has been put on hold while he is evaluated for a pretrial diversion program, according to court records.

    For those wondering, even were a police report not a sworn document (making falsification felony perjury) falsification if a wobbler (can be punished as misdemeanor or felony) under state law.  Of course, in practice a cop can do almost anything he wants to do.  But these safeguards are in place because no one should believe a cop is impartial.

    They mainly deal with criminals, often at risk to their own safety.  So if something looks out of the ordinary, they are probably going to assume everyone involved is a crook.  If they are allowed to simply manufacture evidence to match their suspicions, there is no way to give the accused a fair trial.

    Rest In Peace, Joe

    Last summer, my phone was blowing up with messages from Joe Vasquez, who was giving me the play by play of the scandal at SelectQuote Senior in Kansas City.   Joe wanted to remain anonymous, so he’d send me the latest dirt, and I’d publish when I could find time to do a some verification.  Joe also registered selectquotecomplaint.com, and briefly had a criticism site running there.

    Our collaboration was fairly short lived, as Joe became concerned about eventual retaliation from SelectQuote.  He brought me new sources of information, helped get a number of claims filed against SelectQuote, and unearthed clues that greater misdeeds still remain hidden.

    Most of all, it was heartening for me to see people not so far from where I grew up joining in the fray.  SelectQuote money may prevail in individual struggles, but we don’t know how much worse they could have become.  Big money movers and shakers don’t like attention on the dirty deeds done in the course of business, they might force their underlings to be more circumspect, for a time.