How Gidani nearly lost the lottery licence
Jeanne van der Merwe, Media24 Investigations
Johannesburg - Confidential recordings of National Lotteries Board meetings reveal for the first time the true severity of a security breach which saw winnings looted in the R4bn-a-year competition.
The breach saw an employee seconded to national lottery operator, Gidani duplicate winning tickets which were about to expire and collect R250 000 in winnings during 2009.
It was so serious that the Board - the state’s lottery oversight body - considered withdrawing Gidani’s licence, worth nearly R400m a year, and controversially awarded in 2007.
Over the last year media reports have speculated about the breach and a Carte Blanche insert identified some detail of how it was orchestrated and the employee accused of it.
At the same time the Board and Gidani have repeatedly downplayed the severity of the security breach first mentioned cryptically in the Board’s annual report.
But nearly seven hours of recordings leaked to Media24 Investigations tell another story.
They show how, over meetings at the end of 2009, the Board – far from downplaying the seriousness of the breach – grappled with what do and discussed how:
- Two security audits questioned the operator’s security measures to protect confidential lottery data;
- The failure to secure the data appeared to be a blatant breach of Gidani’s lucrative licence agreement and that it could have lost the licence;
- The lottery could have been plundered weekly using the same security hole – and that Gidani (and its business and technical partner, Intralot’s) internal security systems would not have picked it up, and;
- The breach was discovered by accident by a colleague who noticed the alleged perpetrator behaving strangely.
The recordings reflect Board chairperson Joe Foster saying: “This is a major breach. We can’t just allow this to just go by the wayside, we need to teach them a lesson. They need to pay for their sins.”
Lottery CEO Vevek Ram described how a whistleblower within Intralot SA had approached Gidani’s CEO, Bongani Khumalo, and “told him, listen, I think there’s something going on”, after which Gidani had arranged surveillance of the man.
“They followed this guy around and they looked at surveillance cameras and all that, and they found him out. And they confronted him, and then he confessed.
“Had the whistleblower not come forward, this fraud would be continuing as we speak,” said Ram.
In the recordings Ram speculated that the technician could easily have stolen as much as R50 000 to R100 000 a week undetected. If there had been R1.5m to R2m in unclaimed prizes available in a particular week, it would have been possible for him to take up to R250 000 in a week without being noticed.
The board had initially considered revoking Gidani’s licence, because it had breached two crucial conditions of its licence – failing to take preventative measures to stop fraud and the theft that resulted from the security failures.
At the time, Gidani already had a R5m suspended sentence hanging over its head because of another breach of the licence – relating to unauthorised lottery network access.
But after considering the damage another stoppage would do to the lottery, less than two years after a six-month hiatus in the competition due to the dispute over Gidani’s initial award of the licence, the board instead decided to fine the company.
There were also concerns in the Board about whether similar problems existed in other countries where Intralot operated and that the Board considered sounding the alarm internationally.
The recorded discussions show how members of the Board became more suspicious over Intralot, a listed Greek company with operations in 53 countries.
The decision to fine Gidani an effective R7.5m was considered a slap on the wrist, by at least one board member with whom Media24 Investigations spoke, although other experts said it was fair.
Last week Gidani insisted the problem was not as serious as the recordings suggest, insisted it had been unfairly fined – and that its security systems had always been water-tight.
What made the breach even more shocking to the Board was the fact that two independent security audits – the first one done at the board’s insistence by auditing firm KPMG in 2008, and a second audit by an independent expert some months later – had shown vulnerabilities in the databases containing the prize winner data. The fraud had, therefore, been entirely avoidable.
After the breach, meetings reveal, Intralot brought in two technicians from Greece to restore security.
But before the breach was discovered the IT manager working for Intralot was able to steal a quarter of a million rand in unclaimed prizes between April and July 2009.
The employee faced criminal charges which are still pending.
This meant that someone with a winning ticket could have claimed a prize, only to be told it had already been claimed.
The breach was cryptically referred to in the Board’s 2011 annual report which said Gidani had received a R7.5m fine for “a contravention of […] the Licence Agreement”.
- Listen to the recordings
- Lotto tapes: Gidani responds
- Media24 Investigations