Australia’s Tabcorp Holdings has been fined A$1m ($642,000) by the Victoria state gambling regulator for failing to follow directions in the aftermath of a data centre outage in late 2020.
The Victorian Gambling and Casino Control Commission (VGCCC) on Monday (September 4) issued the fine to subsidiary Tabcorp Wagering (VIC) Pty Ltd for failing to provide an adequate third-party assessment of Tabcorp’s disaster recovery capability and a subsequent due diligence report on deadline.
“What this disciplinary action should show, to Tabcorp and to others, [is] that non-compliance with directions will not be tolerated and cannot be treated as a mere cost of doing business,” the decision said.
The A$1m fine, a record for the company in Victoria, was at the lower end of a maximum permitted fine of just over A$9m for the two breaches.
Triggered by a “smoke and likely fire” incident, the data centre outage in Sydney in November 2020 resulted in disruption of “core Tabcorp internal and customer-facing systems, and subsequently the shutdown of core customer services”, according to the decision.
The system outage affected “approximately 700 servers … across the business, further impacting applications in the managed private cloud environment … across Gaming, Lotteries and Keno, Wagering, and Tabcorp’s corporate systems”, it said.
The outage, which occurred during the 2020 Spring Racing Carnival, also caused an EBITDA loss of around A$10m for the company.
However, Tabcorp’s regulatory response to the incident began to fall apart when it refused to provide an initial Deloitte report into the incident to the VGCCC, forcing the regulator to “turn to its compulsory powers to gain assurance that another outage would not occur”.
Subsequently, the regulator ordered Tabcorp to deliver an independent expert assessment of its “business continuity and disaster recovery infrastructure and processes for the wagering and betting system” by the end of August 2021.
That report, also by Deloitte, was delivered late and failed to satisfy the regulator that the company’s amended disaster recovery protocols were “fit for purpose”.
Tabcorp further antagonised the regulator when it delivered a separate due diligence assessment by Deloitte of disaster recovery capacities some four months after an extended deadline.
Although the VGCCC decision said it could not find that Tabcorp acted with “capriciousness”, it criticised “Tabcorp’s apparent lack of interest in engaging positively, proactively and promptly with the commission to resolve areas of disagreement or matters requiring clarification”.
It also expressed concern that “current Tabcorp management continues to show an inclination towards minimising its own responsibility for the contravening conduct by pointing the finger at others, namely the commission and Deloitte”.
VGCCC chair Fran Thorn said in a statement on Tuesday (September 5) that the regulator “will not tolerate licensees that are not forthcoming and cooperative when the commission investigates”.
She said: “The commission had to use its compulsory powers and issue directions because Tabcorp did not provide the information we required about the business continuity and disaster recovery capability of its systems.
“It is Tabcorp’s failure to comply with these directions that has led to the fine announced today.”
The Tabcorp fine is one of a growing number of punitive actions by the VGCCC against non-compliant licensees and confirms its aggressive approach in overseeing all gaming segments.