The Latest Jockey Club Press Release Doesn’t Quite Pass the Smell Test
The Jockey Club issued an update Thursday afternoon on its investigation into the leaked veterinary enhanced past performances that have roiled the industry of late. The statement is worth reading in its entirety, not for what it says, but for the tension it cannot resolve.
According to The Jockey Club, a thorough review of the InCompass Track Manager system found no unauthorized access, no breach, no security detections, no endpoint security issues, and nothing unusual at any layer of a multi-tier security infrastructure that includes intrusion prevention, firewall protection, vulnerability scanning, endpoint protection, and around the clock security operations center monitoring. Clean bill of health. Investigation complete. Nothing to see here.
And then, in the very next paragraph, The Jockey Club announced it is restricting access to veterinary list information, limiting the amount of data available to track users, and working with HISA and industry stakeholders to implement additional safeguards going forward.
These two statements do not reconcile.
If the system was never breached, if no unauthorized access occurred, if every security layer performed exactly as designed, then what precisely is being fixed? What specific risk does the new restricted access regime eliminate that the old system allowed? If the outcome that apparently occurred was never a problem under the old architecture, why is preventing that outcome now a stated priority?
The Jockey Club has not answered those questions. They have not been asked to answer them, at least not in public, and not by any outlet with the institutional proximity to demand it.
The answer, of course, is embedded in the word the statement leans on most heavily: unauthorized. The statement confirms no unauthorized access. It says nothing whatsoever about authorized access. It is entirely silent on whether someone holding valid InCompass credentials, someone with every legitimate right to be inside the system, pulled veterinary list data and routed it to a party that had no business receiving it. That scenario would not register as a breach. It would not trigger an intrusion prevention alert. It would not show up as suspicious activity in a security audit. The door was never forced. Someone with a key walked through it.
The remediation can explain what may have happened. Why restrict what authorized users can see unless authorized users are the problem? Would you limit the data available to track users unless track users or someone operating through track users, is how the data got out. The Jockey Club’s own corrective actions can be taken as a confession written in the passive voice.
This is not a new observation. Past The Wire raised it when the first TJC statement was issued last week. The question was never whether InCompass got hacked. The architecture of the story, the kind of data that appeared in those past performances, the treatment details and not merely eligibility flags, pointed from the beginning toward authorized insider access, not an external intrusion. The first statement did not answer that question. The update, with its careful construction around the word unauthorized, still does not answer it.
What it does do is reinforce why that question mattered from the beginning.
The Jockey Club closes its update with a gesture toward transparency, noting it will work with data providers to determine what information should be made publicly available while protecting the integrity of the sport. That framing is instructive. The industry is treating this as a question about what the public should be permitted to see, rather than as a question about what certain insiders should never have been able to extract. Those are not the same problem, and solving one does not address the other.
The bettors who fund this sport are owed a more direct answer. Not about firewalls. Not about endpoint protection. About who had access to treatment level veterinary data, what controls governed how that data could be used once accessed, whether any of those controls were violated by someone operating entirely within their authorized permissions, and whether the industry has any intention of saying so plainly.
Either the existing access controls were appropriate, or they were not. If they were appropriate, why are they being tightened? If they were not appropriate, then the discussion is no longer simply about whether someone hacked into the system. It becomes a question of whether the system allowed information to be used in ways that, while technically authorized, were never intended.
Nothing was broken, they tell us.
So why does it need fixing?
