If Santa Claus did not have a Data Protection Officer


Santa Claus had been the victim of a significant cyber-attack by hackers who do not love Christmas in order to control the naughty list he maintains with the reasoning for not sending the gifts.

The hackers went further by publishing the list on various websites, blackmailed Santa Claus demanding a ransom in bitcoin not to proceed with the sale of personal data of famous members of the list on the black market (Darknet), and defacement of the site.

In addition, the hackers threatened that if Santa Claus informs the police about the blackmail they will carry out cyberattack and turn off the distribution management & the gift production systems resulting in the damage of his reputation, which was a result of many years of his efforts.

Santa Claus was in a lot of trouble and for a moment he thought that achieved until today will be destroyed. Data Protection Officer asked to meet all the members of the Incident Response Team he had set up, whose aim was always the timely and efficient shipping of the gifts to the children from all over the world.

The Incident Response Team was made up of

  • Data Protection Officer
  • Production & Distribution Engineer
  • Lawyer
  • Chief Information Security Officer
  • Director of Communications & Marketing
  • CFO
  • Head of Compliance
  • Director of Public Relations
  • Risk Manager

During their meeting Data Protection Officer asked to implement the Incident Response Plan of the Company.

The Risk Manager informed the group members that they can seek the help of the experts available from the insurance company they were insured but this should not be leaked as the contract also covered ransom in case of blackmail.

They asked for help from the insurance company. The latter has sent a GDPR expert lawyer and a Forensics investigator to help.

With the arrival of the experts they started putting the Incident Response Plan in action. They informed the authorities in 72 hours, they stopped the data leakage and they implemented additional protection measures to their systems.

They called the crisis management experts, set up the communication plan of the company and started informing their naughty list customers about the attack.

Some of the members of naughty list customers requested compensation from Santa Claus and led their case to court.

Finally Santa Claus, with the help of the experts, managed to:

  • Reach an agreement with the members of naughty list enabling them to receive their gifts normally for the next years if they comply
  • Not to give ransom
  • Continue to offer the children the gifts they asked for.

* The story is fictional but can occur in any real company.

Read more: https://www.privacyrisksadvisors.com/news/if-santa-claus-did-not-have-a-data-protection-officer/