Santa’s naughty list exposed in data breach

Next story

TORONTO, December 21, 2022 – Today, more than 600,000 individuals around the world on Santa’s naughty list received a notice that their personal information was exposed in a data breach of the naughty and nice list just four days before Christmas.

Data breaches occur when an unauthorized third party accesses an organization’s private information. No one yet has claimed responsibility for the attack, but authorities believe it can be attributed to be The Grinch.

Luckily, receiving a data breach doesn’t mean you’re doomed. What you do in the succeeding hours and days can have a major impact on whether the initial incident leads to identity fraud or not.

“Like holiday celebrations, unfortunately, data breaches are far-reaching and varied in how they’re deployed,” says Tony Anscombe, Chief Cybersecurity Evangelist at global IT-security company ESET. “If like me, you find yourself on the naughty list, run through this list and check it twice to ensure you’re safe following a data breach notification.”

If you’ve been naughty this year and your personal information is at risk, ESET put together the following checklist can help you land on the nice list.

  • Stay calm and read the notification carefully – A knee-jerk reaction might end up making things unnecessarily worse. No need to immediately close your online accounts or cancel all your cards. Instead, take a deep breath and pay attention to what happened. Read through the details of the incident carefully and understand what was stolen and the implications of this theft. It’s also worth keeping the letter or email in case you need to prove in the future that the breach was no fault of your own.
  • Make sure the notification is legitimate – Sometimes fraudulent phishing emails and texts are designed to trick you into clicking through on a malicious link or divulging more personal information. One way to grab your attention is by claiming your data has been involved in a breach. These messages are getting harder to differentiate from the real thing. If you’re unsure, contact the organization directly using contact information on its official website to confirm with their team if a data breach did indeed happen and if your information was involved.
  • Be on your guard for follow-up fraud - The hackers responsible for breaching your data in the first place are likely to then sell it on specialized criminal sites, hidden on the dark web. Fraudsters buy this up and then try to target you with phishing messages designed to elicit further info, like logins and card details, which they can monetize. Following a data breach, be on guard for any official-looking correspondence. It may be disguised to appear as if sent from the breached company itself, or another source. Tell-tale signs of phishing emails are grammatical and spelling mistakes, sender email addresses different from the actual company, and the creation of a sense of urgency, in order to trick you into acting without thinking first.
  • Change your passwords – Even if your logins haven’t been compromised in the breach, it would be a good idea to change them anyway, for peace of mind. In addition to changing your password, adding multi-factor authentication to your accounts keeps your accounts extra secure. In addition, change the passwords on any other accounts you use the same logins for. This is because hackers have access to automated software which can try large numbers of stolen logins on multiple sites across the web until they get lucky.
  • Cancel or freeze your cards – It goes without saying that if you’ve been notified of a serious breach of financial information, you should inform your bank immediately, cancel or freeze your cards and change any passwords. If details such as your Social Insurance Number or identity numbers have been stolen in a breach, fraudsters may use it to try to take out lines of credit in your name, before running up a huge debt and then disappearing. 

By staying alert and understanding your risk exposure, there’s a good chance that you’ll be able to manage the impact of an incident without creating too much disruption to your digital world.

Visit to keep up to date with the latest online threats and learn more about how you can protect yourself and your family from being the victim of fraud.  

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit or follow us on LinkedIn, Facebook, and Twitter.