Santa's Workshop is the latest victim of a high-profile, high-value data breach following an intrusion that allowed thieves to make off with the contents of Christmas-critical data including the highly sensitive Naughty/Nice list for 2011, according to a press release posted yesterday by New York-based database security and intrusion-prevention software developer Application Security, Inc.
The Naughty/Nice database included details of the 2011 naughty/nice track record for millions of children and adults as well as their names, street addresses, email addresses and other contact information.
The user data, paired with logistical data such as Santa's secret delivery routes and methods, lists of requests from both children and adults, presents designated for those on the right side of the Naughty/Nice divide and details of what the Naughty did to deserve their lumps of coal.
Data so complete could be used either to harass or prevent Santa's own progress at Xmas, North Pole sources confirmed. It could also be used to identify the Nice who are scheduled to receive the best presents and target them for post-Xmas burglaries or mail theft.
Details from the Naughty list could be used either to blackmail those on the list, or to prequalify those who are the right kind of Naughty as potential targets for hackers seeking mates or dates for themselves.
"Our entire organization has been compromised," according to a quote within the release that was attributed to a Mrs. Claus, COO for Santa's Workshop."Due to the sensitive nature of the data jeopardized by this breach, Santa's Workshop and its thousands of employees face the very real prospect of being shut down."
Only hackers with no sense of conscience, propriety, or fear of being naughty-listed could have been so crass as to attack Santa's Workshop during the final run-up to Xmas, raising the annual stakes in the race to save Christmas.
Suspects include disgruntled database admin Hermey– the malcontent-elf-turned-dentist portrayed in Rudolph the Red Nosed Reindeer – the allegedly non-human, yeti-like mythical creature known as The Grinch as well as the hacktivist group Anonymous, the leading Usual Suspect scapegoat for high-profile digital crimes, at least within the U.S. and Britain.
Internet is new source of Xmas peril
Though considered a generally benign, non-controversial holiday – unlike European Druidic rites that form the basis of much of its imagery – Christmas is discovered to be under threat in every one of hundreds of childrens' Christmas-season TV specials every year.
Somehow Christmas is always saved in the end, but that involves only threats presented on television.
A more concrete threat to Santa comes in the form of the annual, highly detailed, resource-intensive effort by NORAD to track Santa from initial takeoff to final landing during his annual 24-hour gift-delivery marathon. NORAD is a U.S. military agency responsible for monitoring locations, takeoff and flight of intercontinental ballistic missiles and helping direct anti-missile weapons systems.
The details and data NORAD provides on Santa's location, speed and direction are more than sufficient for military or terrorist organizations to target the flying sleigh with anti-aircraft weapons, though no such attempt at direct attack has yet been attributed to the exposure by NORAD.
Threats to Christmas coming via the Internet are relatively new, especially threats involving peculiarly digital schemes and techniques such as remote-access digital espionage and sabotage, according to Xmas security analysts.
Efforts by Santa's Workshop to keep up with the times by automating its supply chain, shifting to a cloud-computing infrastructure, digitizing the collection and analysis of naughty/nice data and even logistical planning for the big annual trip itself all made the Workshop more vulnerable to a new generation of skulking culprits and new vectors of attack, at least compared to the days when all data was hand-written on vellum using quill pens filled with red or green ink, Santa security specialists said.
Even Application Security, which announced the breach and claims to have been contracted to investigate the incident, identify the culprits and repair the damage appears to be trying to exploit the potential Xmas disaster for its own benefit.
The company announced it will conduct a webinar series in which its intrusion-prevention experts will present their analysis of some of the record number of high-profile data breaches during 2011 in order to map out best practices and advice to help other companies avoid being victimized.
The series "will explore some of the most common attack methods, the patterns and warning signals that can be readily detected and tips for how organizations can stop attempts to compromise sensitive data assets," the obviously self-serving announcement read.
AppSec did not describe whether details of the attack on Santa's Workshop would be presented in the webinars, whether AppSec analysts would reveal clues to the identity of the culprits, or whether the free webinars would include any cookies and milk for the participants.
The company also promised "prizes" for participants, though these turn out mostly to be copies of one of five Christmas movies – none of which contain any significant instructional hacking or digital security content – or an AppSec T-shirt.
Anyone who attends all the seminars will be entered in a drawing for an Apple iPad.
There is no indication from AppSec whether winners of the iPad, shirts or movies will have to qualify as Nice in order to be eligible to win.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.