Data theft creates notification nightmare for BlueCross
IDG News Service - A break-in one evening last October at a shopping mall in Chattanooga, Tennessee, is proving expensive for BlueCross BlueShield of Tennessee.
Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened, the company said in a letter posted to the Maryland attorney general's Web site over the weekend.
As with many data breaches, this one can be traced back to a burglary involving unencrypted data.
On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company's training center in Chattanooga's Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.
In most of the calls, subscribers provided their BlueCross ID number, name and date of birth -- not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what's known as a Health Insurance Claim (HIC) number, which contains the subscriber's Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.
So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. "Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary," BlueCross said in the letter, dated Dec. 16.
"We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio," said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. "It has to be reviewed."
To date, BlueCross has identified more than half a million affected customers and sent notification letters to about 300,000, according to the BlueCross Web site. As of Jan. 8, more than 110,000 work-hours had been spent reviewing the material.
The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.
The average data breach costs $6.75 million, according to Michael Spinney, a senior privacy analyst with the Ponemon Institute. However, the BlueCross incident is more complex than a typical data breach, he said. "It sounds like they're going to be paying a lot more."
BlueCross is offering victims free credit monitoring, though Vaughn said most victims faced a "low risk" of having their personal information misused.
It is also auditing its security practices and has hired a former Department of Defense cybercrimes agent named Stephen Baird to conduct penetration tests of the company's security. BlueCross has also assigned two internal investigators to look into the theft, full time.
"We are determined to prevent any future thefts," the letter reads. "It is an understatement to say that BlueCross regrets this data breach."
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!