UPS Canada is informing customers of a data breach, but the notification letters may be the worse breach notification in history.

Brett Callow, Threat Analyst at Emsisoft, tweeted a copy of the letter he received. Interestingly, the letter is entitled: “Re: Fighting Phishing and Smishing — An Update from UPS.”

The letter then spends the first three paragraphs explaining what phishing and smishing attacks are, and reads very much like an instructional letter aimed at helping customers protect themselves.

It is only in the fourth paragraph that UPS finally gets around to disclosing that the company suffered a breach, one that could reveal users’ phone numbers and open them up to phishing attacks.

Callow described the letter in his tweet:

So @UPS_Canada sent me a letter about phishing and smishing. Turns out it wasn’t simply intended to be educational. In the 4th paragraph, it became apparent that it was actually a data breach notification.

This is not what a data breach notification should look like. They should immediately make clear what they are or else people will do what I almost did and put them in the recycling unread

Brett Callow (@BrettCallow) — June 21, 2023

There is no information regarding the extent of the breach, or whether it extends beyond UPS Canada.

Companies experiencing data breaches should take note of UPS’ example…of how not to handle a data breach notification.