Was Lockheed Martin breach notification intentionally vague?
If Steve Regan of The Tech Herald thought Alpha Software’s breach notification was bland, I wonder what he thinks of Lockheed Martin’s recent breach notification.
On November 6, Lockheed Martin sent out a breach notification that began:
As part of Lockheed Martin’s continued vigilance of personal information privacy matters, I am writing to inform you about an incident that resulted in the potential compromise of your personal information.
After containing the incident, which occurred in April 2009, the Corporation took prudent measures to conduct a thorough analysis of the incident and implement solutions to deter future occurrences.
Really. There was no explanation of what the incident involved. Nor did the notification to the New Hampshire Attorney General’s Office contain even a clue as to the nature of the incident or why it took from April 2009 until November 6 to notify them or the individual(s).
Is Lockheed Martin being intentionally vague because of an ongoing investigation, did they accidentally omit a paragraph explaining the incident, or is something else going on? Can a recipient really assess the risk they face without some sense of what happened?
Update April 16: The NYS Consumer Protection logs show that it received a breach report from Lockheed Martin concerning a hacking incident that affected 15 NYS residents.