Keep race days online, protect punter data and payments, satisfy AUSTRAC obligations and safeguard integrity systems — with security aligned to the ACSC Essential Eight, PCI DSS, AML/CTF Act and the Privacy Act 1988.
Australian horse racing and wagering is one of the country's most economically significant sporting sectors — and one of its most attractive cyber targets. The industry generates an estimated $9.5 billion in economic contribution and supports around 75,000 jobs, with annual thoroughbred wagering turnover of approximately $27 billion (Racing Australia, 2024). Horse racing accounts for roughly 37.9% of the Australian sports-betting market by revenue, which was valued at approximately AUD 8.3 billion in 2025 (Expert Market Research, 2025).
The ecosystem is large and interconnected. Racing Australia is the national peak body for thoroughbred racing; Racing NSW and Racing Victoria are the two largest Principal Racing Authorities (PRAs), each responsible for conducting race meetings, licensing participants and enforcing rules of racing in their jurisdiction. Wagering is delivered through both the on-course and off-course TAB network (operated nationally by Tabcorp) and a growing field of online corporate bookmakers — including Sportsbet, Bet365, Ladbrokes, Neds, Pointsbet and others — all of which hold state or territory wagering licences.
This density of digital touchpoints — wagering apps, customer account portals, live-form data feeds, stewards’ systems, payment gateways and integrity databases — creates a broad attack surface that demands a coherent, multi-layered security posture.
The Melbourne Cup, The Everest, Caulfield Cup and Golden Eagle collectively attract hundreds of millions of dollars in wagering on single days. For online operators, even minutes of downtime translates directly to lost revenue, punter frustration and reputational damage — conditions that threat actors deliberately exploit.
DDoS attacks targeting Australian infrastructure have grown significantly in scale. The ASD’s Annual Cyber Threat Report 2024–25 recorded an 11% year-on-year increase in cyber incidents and a 111% rise in attacks against critical infrastructure (ASD, 2025). Betting platforms are a clear high-value target: always-on, transaction-intensive, and brand-sensitive.
Effective peak-event protection goes beyond bandwidth provisioning. It requires:
Every deposit and withdrawal on a wagering platform is a card-payment event. Operators that store, process or transmit cardholder data are in scope for PCI DSS and must demonstrate compliance to their acquiring bank. Simultaneously, the personally identifiable information collected at account opening — name, address, date of birth, government-ID details and transaction history — is protected information under the Privacy Act 1988 and the Australian Privacy Principles (APPs).
Notifiable Data Breach (NDB) obligations under Part IIIC of the Privacy Act apply where a breach is likely to result in serious harm. The average self-reported cost of a cybercrime incident for a large Australian business rose 219% in FY2024–25 to $202,700 (ASD, 2025) — and that figure excludes regulatory fines, remediation and reputational costs.
Key obligations for wagering operators.
Online wagering operators are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), supervised by AUSTRAC. They must maintain a compliant AML/CTF programme, conduct ongoing customer due diligence, monitor for suspicious transactions and submit threshold and suspicious matter reports (SMRs) to AUSTRAC.
Enforcement actions make clear that AUSTRAC is active in this sector:
Cryptiq maps AML/CTF programme controls to the technical security requirements that support them: secure transaction monitoring infrastructure, segregated data environments, identity verification system integrity, audit-log retention and access controls that satisfy AUSTRAC’s independent review expectations.
Australia’s principal racing authorities invest heavily in integrity infrastructure: stewards’ reports, veterinary sampling and chain-of-custody systems, betting-fluctuation monitoring and participant licensing databases. The value of this data to race-fixers, insider actors and organised-crime groups is significant, and the consequences of a compromise extend well beyond commercial loss to the sport’s social licence.
Racing Victoria, for instance, partnered with CGI (via Unico) to build Australia’s first digital racing integrity platform — a mobile-enabled, digitally signed, nationally integrated veterinary sampling system designed to replace paper-based processes that carried inherent authentication weaknesses and single points of failure (CGI, 2022). This kind of digital transformation creates stronger integrity assurance but also introduces new cyber-attack surfaces that require active security management.
Online wagering accounts hold real money — deposited funds, pending withdrawals and promotional balances. They are a high-value target for credential-stuffing bots, account-takeover (ATO) campaigns and organised bonus-fraud rings.
ATO attacks surged 254% in 2023 compared to the prior year, driven heavily by credential-stuffing at scale (Akamai, 2024). Akamai counts approximately 26 billion credential-stuffing attempts globally every month. In Australia, compromised account credentials from major retail and hospitality brands appeared on criminal marketplaces from July 2023, quickly expanding to cover wagering and financial services accounts (Larsen/LarsencCyber, 2024).
Account-takeover, bonus abuse and loyalty fraud collectively account for 68% of betting and gaming losses according to SEON’s 2026 Fraud & AML Leaders Survey. Cryptiq’s defences target these fraud vectors at multiple layers:
Why wagering accounts are prime targets.
We deploy proven services against the specific threats, obligations and operational rhythms of Australian racing clubs, PRAs, TAB operators and corporate bookmakers.
24/7 Security Operations Centre monitoring, DDoS mitigation and incident-response playbooks tuned to peak-event availability windows. We scale coverage to align with marquee race day calendars.
Learn more →PCI DSS gap analysis and remediation, MFA roll-out, bot management, account-takeover defences, endpoint protection and penetration testing across wagering platforms and back-end systems.
Learn more →Fractional security leadership for racing regulators, integrity bodies and wagering operators. We manage AML/CTF programme alignment, AUSTRAC audit readiness, board reporting and vendor due-diligence.
Learn more →Secure, managed infrastructure for racing clubs and PRAs — from endpoint management and patching to Microsoft 365 hardening, Conditional Access and Defender for Business deployment.
Learn more →Deployment and optimisation of Microsoft Sentinel, Defender XDR, Entra ID and Purview for wagering operators already invested in the Microsoft ecosystem — maximising licence value and closing security gaps.
Learn more →Security-conscious web design and hosting for racing clubs, jockey clubs and industry bodies — with WAF protection, SSL/TLS management and ongoing vulnerability monitoring built in from day one.
Learn more →Racing and wagering operators carry a distinct and layered compliance burden. Cryptiq aligns security controls to each obligation so you are not paying for generic frameworks that do not fit your business.
Built for peak-event resilience and year-round integrity.
We map your systems — wagering platform, payment environment, integrity databases, Microsoft 365 tenant — and identify your regulatory obligations and current control gaps.
We produce a prioritised risk register calibrated to the racing and wagering threat landscape: DDoS exposure, AML/CTF programme gaps, PCI scope, integrity-data access controls and account-fraud vectors.
A practical remediation roadmap aligned to your race-day calendar and budget cycle, with high-impact quick wins (MFA, logging, patch hygiene) delivered first.
Ongoing SOC monitoring, SIEM management, vulnerability scanning, DDoS readiness testing and vCISO support — with race-day coverage windows agreed upfront.
We combine cloud-based DDoS mitigation, pre-event load testing and 24/7 SOC coverage with a documented incident-response plan rehearsed against peak-event scenarios. Coverage windows are agreed against your race calendar — so the Melbourne Cup and The Everest are never a surprise for our team. Redundant architecture and defined failover paths mean that a single infrastructure failure cannot take your platform dark during a live broadcast window.
Yes. We align the technical security controls that underpin an AML/CTF programme — secure transaction-monitoring infrastructure, segregated logging environments, identity-verification system integrity, audit-log retention and role-based access controls — to the programme requirements AUSTRAC expects. We also support AUSTRAC independent review readiness and can assist your compliance team in closing gaps identified in an audit. AUSTRAC's December 2024 civil penalty proceedings against Entain (Ladbrokes/Neds) illustrate that online betting operators face real enforcement risk.
We scope your cardholder data environment, conduct a gap analysis against PCI DSS v4.0, and prioritise remediation to bring you into compliance. This includes tokenisation strategy, P2PE implementation, network segmentation review, vulnerability scanning, penetration testing and support for your Qualified Security Assessor (QSA) engagement. We work with your acquiring bank’s requirements in mind.
We apply least-privilege access controls, strong multi-factor authentication, encryption at rest and in transit, and comprehensive audit logging over stewards' records, veterinary-sampling chains of custody and betting-fluctuation monitoring systems. User behaviour analytics detect anomalous access patterns that could indicate insider misuse or external compromise. We also assess the security of third-party feeds and APIs that connect into integrity databases.
We deploy MFA enforcement, bot-management controls and velocity-rate limiting to disrupt credential-stuffing campaigns at the front door. SIEM correlation rules flag ATO indicators — such as unusual login geography, rapid deposit/withdrawal cycles and promo-code velocity — in real time. We also monitor compromised-credential databases for your customers' email addresses so you can prompt password resets before attackers exploit leaked credentials.
Both. Our services are modular: a regional racing club may engage us primarily for managed IT, Microsoft 365 hardening and web-presence security, while a national wagering operator may require full SOC/SIEM, DDoS protection, PCI DSS and vCISO services. We scope engagements to the size and complexity of your operation and to the obligations you actually carry.
Book a free, no-obligation security review tailored to Australian horse racing clubs, principal racing authorities and wagering operators. We’ll identify your highest-priority gaps and give you a clear picture of what’s needed — before the next major event.
Book a free security review