2.4 million customers, one point of failure
Lotto NZ is not a corner dairy raffle. According to the 2023/24 New Zealand Gambling Survey, 55.2% of New Zealand adults, roughly 2.4 million people, bought a Lotto product in the prior year. The organisation operates through 1,200 retail outlets and a digital platform that handles a growing share of transactions. By any measure, it is one of New Zealand’s largest consumer-facing operations.
And it keeps going offline.
In September 2025, Lotto NZ took all services offline from Sunday evening until late Monday afternoon for a major technology platform upgrade. Chief executive Jason Delamore said at the time the transition had been two years in planning. That is not a rushed job. That is a deliberate, well-resourced outage by a Crown entity with direct government oversight through shareholder expectations letters and Audit New Zealand scrutiny.
Go back further and the pattern sharpens. In 2019, a fire at SkyCity’s International Convention Centre forced the first-ever off-air Lotto draw in New Zealand history. Numbers had to be drawn by a random number generator at Lotto NZ’s Newmarket office. The organisation improvised well, but the incident revealed a broadcast infrastructure with no built-in redundancy.
None of these incidents was catastrophic. Nobody lost money. The draws happened. But that is precisely the point. If an organisation this well-resourced, this regulated, and this visible still produces unplanned blackouts and extended planned outages, what does that say about the businesses that lack all three?
The gap between confidence and capability
The honest answer, based on available data, is not encouraging. A Datacom survey of security leaders across New Zealand and Australia found that only 30% of New Zealand organisations have a business continuity or cyber incident response plan in place. At the same time, 73% of respondents said they had sufficient visibility of risks and 78% said they had the internal resources to manage attacks.
That is a staggering disconnect. Nearly three quarters of organisations believe they can see the threats coming. Fewer than a third have written down what they will actually do when one arrives.
Datacom’s CISO Collin Penman identified the core issue as a preparedness problem, not a technology one. The survey found four in 10 respondents expected recovery from a major incident within days. Real-world cases told a different story: production halted for five weeks in one instance, with full recovery taking nearly five months.
This is not abstract. The CrowdStrike outage in July 2024, a single vendor’s faulty software update, generated at least US$5.4 billion in costs globally. One update. One vendor. Billions in damage. Concentration risk is not a theoretical concern for IT departments. It is a balance-sheet risk for boards.
Regulation is coming whether businesses are ready or not
The government appears to have noticed the gap. In February 2026, the Department of the Prime Minister and Cabinet released papers outlining New Zealand’s Cyber Security Strategy 2026-2030, proposing mandatory resilience requirements for approximately 200 critical infrastructure entities across seven essential services. Proposed obligations include risk management programmes aligned with NIST or ISO 27001 frameworks and mandatory incident reporting within 72 hours.
The numbers driving that strategy are blunt. New Zealand loses more than $1.6 billion annually to cybercrime, and 59% of large businesses experienced a cyber incident in the past year.
For the 200 entities in scope, compliance will become a cost of doing business. For everyone else, the incentive remains reputational and financial rather than legal. But the direction of travel is clear. Mandatory resilience standards for some will become the benchmark against which all are judged, by customers, insurers, and supply chain partners.
The management question nobody wants to answer
The Lotto story is useful precisely because it is low-stakes. Nobody’s health was at risk. No money was lost. The draws happened eventually. But that is what makes it such an effective mirror for business owners.
Lotto NZ had two years of planning, dedicated capital, regulatory oversight, and a Crown entity’s resources behind its September 2025 upgrade. It still needed to take everything offline for the better part of a day. A separate upgrade caused tickets to temporarily vanish from customer accounts, generating public anger about timing.
If that is what competent, well-funded resilience looks like, the question for every mid-market business owner running legacy systems with no documented recovery plan is uncomfortable but unavoidable: how long would your customers wait?
Sources
- 1News: Lotto draw to take place off-air for first time due to SkyCity convention centre fire (2019-10-23)
- 1News: Lotto counters and app to go offline for major tech upgrade (2025-09-26)
- New Zealand Gambling Survey 2023/24 – Lotto NZ Product Participation (2024)
- Lotto NZ Integrated Report 2023/24 (2024-06-30)
- Datacom finds New Zealand firms lack cyber recovery plans
- RiskNZ: Catch-up or pay up – New Zealand’s cyber resilience gap falls to brokers (2026-02)
- NZ Herald: Ticket glitch – Why Lotto NZ chose Saturday night for a system upgrade