How data breach nearly cost Lotteries operator its license to trade

Gidani (licensed operator of the South Africa national lottery) recently came perilously close to losing its R400 million a year contract due to a massive data breach.

The reason for this near-miss was its failure to secure its business critical data (a requirement of their contract with the National Lotteries Board) – with two independent audits questioning existing measures to protect confidential data.

The much publicized data breach that led to fraudulent activity at Gidani, of course, played a crucial part in highlighting the failings of the technology and processes in place at the operator.

According to local news reports “the board initially considered revoking Gidani’s licence altogether . . . but it had since decided to fine the company instead.”

That a case of poor data security nearly put Gidani out of business is by no means an isolated incident. History is littered with companies that suffered severe loss of business and damage to market reputation through data breaches of confidential information – just ask SONY.

Make.Believe?

The Ponemon Institute estimates that last year’s data breach at SONY will cost the company an absolute minimum of $5.6 billion – with the majority of cost attributed to “expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response” as well as the “economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates.”

$5.6 billion, R400 million a year – whatever the monetary value that is associated with data security breaches, it pales in comparison to the direct impact a failure to protect data can have on company board members in their personal capacity.

Board liable

Company secrets, resources and knowledge bases have become exceptionally valuable – and the loss of this sensitive information can lead to massive reputational damage, hefty financial penalties or even incarceration. Often companies think a data breach won’t happen to them as they fail to understand the risks and threats involved.

While South Africa struggles towards aligning its data protection legislation with that of the rest of the world and, particularly, the UK and the USA, with Acts such as the Protection of Personal Information Bill (PPI) – the effective protection of information has become an increasingly topical issue for the South African population.

This incident further increases the public’s concern around the Intelligence Minister’s information being ineffectively protected, and now, compromised – as South Africans gain greater insight into how vital protecting data really is.

Data Loss: The Bigger Picture

With the Protection of Personal Information (PPI) bill (currently being drafted) in South Africa, board members are staring the possibility of being held personally liable in the face, with prison sentences, fines and the like on the cards should companies be found guilty of not taking appropriate steps to safeguard their business critical and confidential information.

The direct cost and personal liability to businesses and individuals alike are sure to make believers out of those skeptical of the importance Governance, Risk and Compliance (GRC) plays in business operations today. However, the consequences of a data breach can be very severe and can cause reputational damage as well as financial penalties.

Ask “The Gov”

Cibecs is well aware of the reluctance within organizations to take decisive action in terms of their GRC status, especially amongst IT professionals who already find their plates filled to capacity.

In order to assist companies in their quest for hassle-free compliance, Cibecs is making the services of its in-house GRC specialist, “The Gov”, available to field any and all GRC-related questions.

“The Gov” is also more than happy to share his in-depth knowledge of procedures relating to the security of mission critical data.

“We encourage companies of all sizes to get in touch with The Gov to ensure their procedures are in line, their data sufficiently protected and their business continuity planning on par with industry best practices,” says Cibecs Marketing Manager, Brandon Faber.

“Questions can be posed to the Gov on the following address: thegov@cibecs.com.”