TN BlueCross Encrypts All Data After 57 Disks Stolen 140
Lucas123 writes "After dozens of hard disk drives were stolen from a leased facility in Chattanooga, potentially exposing the personal data of more than 1 million customers, BlueCross decided to go the safe route: they spent $6 million to encrypt all stored data across their enterprise. The health insurer spent the past year encrypting nearly a petabyte of data on 1,000 Windows, AIX, SQL, VMware and Xen server hard drives; 6,000 workstations and removable media drives; as well as 136,000 tape backup volumes."
Cheap, but what about ongoing costs? (Score:2, Interesting)
$6 million is pocket change to a company that has $5.2 billion in annual revenue. However, the true cost is really higher, as encrypting everything means that things like disk corruption are no longer repairable, lost passwords can't be reset without losing data, and the like. It'd be interesting to see just what the ongoing costs are.
That said, I would like to compliment Tennessee BC/BS for doing the right thing, in spite of it costing money.
--Paul
Re:$6 million? (Score:4, Interesting)
I wouldn't take the $6M and 5000 man hours as directly coupled. The actual press release says:
BlueCross invested more than $6 million and 5,000 man-hours in the data encryption effort, which included:
- 885 Terabytes of mass data storage
- 1,000 Windows, AIX, SQL, VMWare and Xen server hard drives
- 6,000 workstation hard drives and removable media drives
- 25,000 voice call recordings per day
- 136,000 volumes of backup tape
The 5000 man hours may only reflect actual labor and not reflect all the hours of planning/scheduling etc. What ever hourly rate for labor double it for overhead, the cost of a person is about twice their salary, at $100/hour that's $1M in labor. Another 500K in planning. I have no clue what software they used but I'm pretty certain it wasn't a single package. Each system may well have required a different package + licenses + contractor time from the vendor. For example they may have had to out source the voice call recordings to who ever provides their phone system. I kind of doubt they slap all the recordings onto a single box and mass encrypt.
They're a very distributed organization so there's going to be a *lot* of duplication of effort, they may have had to do the phone bit at hundreds of sites.
I don't know if it could have been done for $3M or if $6M actually represents a relatively reasonable price compared to a lot of the $XXX Mllion dollar utter failure projects. It strikes me as fairly reasonable considering the scope of the problem and usefulness of the result (assuming it's not a $6M whitewash).