I’m not sure that posting a breach notification on a Facebook page is sufficient when you also have a web site where you could post the announcement. Assuming everyone is on Facebook is risky.
Case in point: Common Market in Union, Maine, posted this on their Facebook page on October 30.
ATTENTION COMMON MARKET CUSTOMERS
We recently learned that there has been a breach of Debit and Credit Card data in our area. The Common Market was one of the stores compromised. Please keep a close eye on your Debit and/or Credit Card transactions for the last couple of months (from August 12 to October 26) for any suspicious activities or charges that you do not recognize. Contact your bank immediately if you see any suspicious activity.
We have been in close contact with our Debit/Credit card processor and they have taken steps to make sure our system is now secure.
We sincerely apologize for any inconvenience this has caused.
That FB post shows up in a scrolling feed on their web site, but if someone didn’t happen to check the site before it scrolled down, they might miss it.
While I commend Common Market for their transparency in notifying their customers, I would encourage ALL entities to post such disclosures on the home page of their web sites or prominently linked from the home page of their web sites.