The last year has seen a dramatic increase in the volume of cyber-attacks, including some high-profile supply chain attacks on major cybersecurity service providers and government entities in the last month. With this in mind, we took the opportunity to speak to a long-standing client of ours, Santa Claus PLC, about their year in cyber security. Known as one of the most secretive and complex organisations in the world, they are charged with monitoring children’s behaviour globally and manufacturing presents in their Lapland factories. With a production team of over ~500,000 elves, they also deliver presents across the world with their reindeer-sleigh battalions and unrivalled logistics divisions.

It’s a challenge for any organisation to speak openly about the attacks that have affected them, particularly an organisation as high profile as Mr Claus’. But when they do, it’s often a fascinating and extremely valuable insight into the most sophisticated types of cyber attacks.

Transparency in the aftermath of an incident is an act of selflessness, which allows other organisations to collectively learn from any mistakes, and collaborate on a solution. 

With privacy regulations ramping up in multiple jurisdictions, Santa Claus PLC have faced scrutiny from multiple privacy regulators this year. With their Arctic-based operations initially a low priority for regulatory bodies, this year their satellite-based child behavioural monitoring systems were determined to be in scope for GDPR by European privacy regulators, especially with respect to their processing of special category data.

They have also been forced to undergo a major records management transformation, update their privacy policy, and seek consent from parents of minors to aggregate and analyse their children’s data in their state-of-the-art machine learning solutions. Santa Claus PLC have now urged all parents to complete consent forms before December 23rd, to avoid delays in the delivery of presents – which is already being threatened due delays caused by the COVID-19 pandemic. 

Mr Claus’ organisation has also been the victim of major cyber attacks, notably on their operational technology (OT) infrastructure used in their manufacturing plants. Given their relative isolation from the global internet in previous years, cyber attacks were not considered to be a risk. But on the back of a major upgrade to smart technology this year, the Arctic production estate was made vulnerable.

Thus far, attacks on their smart technology estate have not caused delays in production. However, a spate of hacks to machinery on the manufacturing and packaging floor caused smart industrial equipment to swing wildly and collapse, injuring several elves and causing spillages of industrial chemicals and coal supplies. The Elf Workers’ Union released a statement condemning the lax security around the production OT systems, stating that “cyber security is now a Health & Safety matter”, and indicating that they had settled out of court with Santa's senior management team. Management were also forced to pay a fine for “damage to the Arctic environment and wildlife” as a result of the chemical spills and coal pollution.

In November, management apologised for the incidents, and are now working to incorporate their OT estate into their business continuity and resilience planning. They have also committed to addressing the cyber skills shortage in their production teams, through a mixture of hiring and training. 

Santa Claus PLC’s delivery and logistics chain has thus far avoided being the target of a major attack. However, they have recently become the target of nation state sponsored cyber attacks that aim to delay the delivery of presents to major jurisdictions, triggering mass child tantrums and inevitable societal collapse.

In a practice run in November – meant to alleviate safety concerns among reindeer and elves alike – a hack perpetrated by a pair of teenagers caused IoT-enabled reindeer noses to flash blue and green instead of red, and then switch off. Whilst the reindeer are expected to still fly on Christmas Day, they have indicated that any further attacks would force them to consider self-grounding until lighting issues have been resolved.

One senior reindeer aerodynamics engineer commented, “The problem is the speed. If we go blind or get disoriented at sub-orbital speeds, we’ll hit the ground at 17,000 mph and vaporise a small city. It’s one of the many reasons we can’t get sleigh insurance.”

Santa’s management team have commented, “We have back up delivery contracts with a global logistics and warehousing provider if necessary, but the fleet is excited and ready to launch next week, and it would be a shame to ground them.” Governments around the world have begun to bring Santa Claus PLC into nation state resilience planning conversations, on the grounds that a cyber attack on their operations would cause major global disruptions. 

“We’ve had an interesting year. COVID-19 didn’t really make it to the Arctic, but we did take the precaution of switching our non-production elf staff to remote working – it was a challenge to find small enough desks. And yes, we’ve had some issues with privacy regulations and our operational technology estate. But we’re hiring the right talent to manage it, and our Christmas timetable is still expected to proceed without delay. To other organisations out there – just keep an eye on where you’re putting your tech, and make sure you’re being careful with your data. And to the public, just a small request to not hack our reindeer’s noses.”

We thank Santa Claus PLC for sharing their experience of managing their cyber security and privacy challenges through 2020, and we’re ever grateful for their work year on year. We’re looking forward to seeing what they bring us all for Christmas.