On Friday, October 2, 2009 at approximately 6:13pm, someone stole 57 hard drives from a network closet in a BlueCross BlueShield office in Chattanooga, TN. See the original notification issued by BlueCross BlueShield here.
The drives contained unencrypted audio files of over 1 million customer support calls totaling 50,000 hours of conversation, along with 300,000 screen captures of the monitors of the BlueCross representatives at the time. To identify the individuals whose data was compromised the data had to be examined manually. It took 500 full time and 300 part time employees working two shifts six days a week.
Over a year later, on October 29, 2010, the process was complete. 1,023,209 members have been identified and notified. The cost of the breach was over $7 million dollars.
To avoid future problems, BlueCross BlueShield decided to encrypt all the data at rest. In a project that just finished, over 1,000 server drives, 6,000 workstation drives, removable drivers, recordings, and backup tapes have been encrypted. The cost of the project was $6 million dollars and it took 5,000 man hours to encrypt 885 terabytes.
What troubles me is a quote from Michael Lawley, vice president of technology shared services in BlueCross BlueShield. Lawley said that they encrypted all the drives in order to speed up the process. “Had we gone through the process of verifying and pinpointing each data store, we’d still be in the implementation phase for encryption.”
While encryption of the drives will prevent information from being compromised during a theft of a physical drive, there are many other ways data can be compromised. According to the quote from Lawley, BlueCross BlueShield does not know where all the sensitive information resides, therefore, it cannot protect it. The first step in securing data is being able to locate it.
While 57 drives that disappear are easily noticed, will BlueCross BlueShield notice if someone copied their database?
The first step in any investigation is knowing that it happened.