Many folks have strong opinions about the right way to perform breach notification. More to the point, many folks think they know what not to do. But that’s okay – the great thing about opinions is that everyone gets their own. Recently the UPS Store, a franchised chain of shipping stores, reported a breach.
In the incident information they detailed about how many of their stores were impacted. They listed dates when they determined the store systems were breached, and dates the systems were cleaned up. They also provide a fairly comprehensive FAQ about what happened and what affected consumers should do. Additionally they are providing credit monitoring services for the impacted.
As a security guy, it would be great to have learned more about the specific malware and other technical details of the incident and the cleanup. But that level of detail would be lost on most folks impacted by this breach. The notification and FAQ told consumers what they need to know and to do.
Complicating matters is the fact that the franchises are independently owned, and UPS doesn’t control their networks. So the fact that they clearly investigated all 4,470 stores is impressive as well.
Kudos to UPS and the UPS Store folks. Among all the breach notification fiascos we see, it is good to see one done well.
Photo credit: “UPS Store” originally uploaded by Mike Mozart