This is quite dated now, but I just now stumbled upon the announcement of the breach of the Apache Software Foundation’s servers last April. While certainly an unfortunate event that could have been limited or even prevented by proper (and properly enforced) security procedures, their post-incident report should be a model to all for disclosure of such breaches, especially the inclusion of the details of how access was obtained, complete with candid admissions of where their own policies and security were lax enough to allow the attackers to gain further access.
It’s unfortunate that it happened, but I commend the ASF for their openness and transparency following the breach.