December 10, 2025

Synopsis

The analysis describes a capable, financially motivated ransomware group compromising a casino–hotel–racetrack operator, exfiltrating high-value customer PII, and encrypting systems to maximize extortion leverage, with evidence of mature tooling, multi-step intrusion, and data leakage via a dark web site. Strategically, this pushes leadership to treat ransomware-plus-exfiltration as a top business risk, update risk appetite and scenario planning, and ensure board-level visibility into PII protection and recovery readiness. Operationally, it drives investment in stronger access control, monitoring, segmentation, backup resilience, and incident handling mapped to specific NIST 800-53 controls and ATT&CK techniques, while tactically requiring improved detections, playbooks, DFIR capabilities, and awareness training focused on PII-bearing systems. The incident and FAIR modeling suggest moderate control strength against a high-capability adversary, resulting in meaningful susceptibility and a nontrivial loss event frequency that must be reflected in the risk register and remediation priorities. Financial resilience is directly affected by expected primary losses from response, restoration, and credit monitoring, and secondary losses from regulatory actions, litigation, and reputational damage, making quantified investment in preventive and detective controls, as well as tested recovery and communication plans, a justified cost to reduce future loss magnitude and volatility.

Evaluated Source, Context, and Claim

Artifact Title

Running Aces Data Breach Exposes Sensitive Customer Info

https://www.claimdepot.com/data-breach/running-aces-casino-2025

Databreach Disclosure

https://www.ag.idaho.gov/content/uploads/2025/11/2025-11-14-North-Metro-Harness-Initiative-LLC-dba-Running-Aces.pdf

Source Type

News / breach-notification write-up with embedded regulatory notice letter.

Publication Date: November 24 through December 1, 2025

Credibility Assessment

The incident details come from an official breach notice filed with a state attorney general, which is generally highly reliable for factual scope and timing. Attribution to the Qilin ransomware group is based on the group’s claims and should be treated as plausible but not independently verified in this OSINT.

General Claim

Running Aces Casino, Hotel & Racetrack experienced a Qilin-attributed ransomware intrusion that compromised its network, enabling unauthorized access and exfiltration of sensitive customer PII (names, Social Security numbers, dates of birth, and driver’s license numbers), prompting regulatory notification and remediation actions.

Narrative Reconstruction

A financially motivated ransomware group, allegedly Qilin, compromised the network of a regional casino–hotel–racetrack operator, gaining unauthorized access to systems that store customer records and associated identity data. Using a killchain-like flow, the intruders first established an unauthorized presence in the operator’s environment, then located and accessed files containing personally identifiable information, and finally exfiltrated selected datasets from the network. The targeted assets appear to be administrative and customer information systems holding names, Social Security numbers, dates of birth, and government ID numbers, which can be monetized through identity theft and fraud. The operational goal of the actors was not to disrupt gaming or hospitality services as an end in itself, but to obtain leverage for ransom payment and to profit from or threaten exposure of high-value personal data, as evidenced by the posting of sample records on a dark web leak site and the subsequent regulatory disclosure.

Risk Scenario

Risk Scenario

A financially motivated ransomware group compromises the casino–hotel–racetrack operator’s network, encrypts systems, and exfiltrates customer identity data, leading to regulatory reporting obligations, incident-response and recovery costs, potential identity-fraud impacts on customers, and reputational damage to the organization.

Threat

A cybercriminal ransomware group (e.g., Qilin or a similar financially motivated collective) targeting organizations that hold large volumes of high-value personally identifiable information and are likely to pay to avoid operational disruption and public exposure.

Method

The threat actor gains unauthorized access to the operator’s network, moves to systems storing customer PII, exfiltrates that data, and deploys ransomware to encrypt or otherwise compromise files, then uses both operational disruption and the threat of data leakage to extort payment.

Asset

Primary assets include the organization’s production network and servers that store or process customer identity data (names, Social Security numbers, dates of birth, and government ID or driver’s license numbers), along with supporting systems and backups that, if compromised or encrypted, can affect regular casino, hotel, and racetrack operations.

Impact

If the scenario materializes, the organization may incur direct costs for incident response, forensic analysis, system restoration, and credit monitoring, along with regulatory reporting and oversight, potential legal costs and settlements, customer churn due to loss of trust, and downstream harm to affected individuals whose identity data can be abused for fraud and account takeover.

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.

FAIR Breakdown

Threat Event Frequency (TEF)

Because the OSINT describes a specific ransomware and data-exfiltration incident at a single entertainment venue rather than broad sector statistics, TEF must be inferred from the prevalence of similar campaigns, the attractiveness of casinos and hospitality providers, and the demonstrated success of groups like Qilin. For a comparable organization, TEF for serious ransomware–plus–exfiltration events is estimated at approximately two events per year, reflecting ongoing targeting of PII-rich environments.

Contact Frequency (CF)

Casinos and hospitality operators with internet-facing services and rich identity data are regularly probed by automated scanning, phishing, and access attempts from multiple ransomware crews and affiliates; CF is therefore likely moderate-to-high. In practice, this can mean frequent background contact (dozens of automated probes per week) but relatively fewer high-effort campaigns that progress far enough to pose a serious threat to large-scale data compromise.

Probably of Action (PoA)

Once an actor like Qilin has a meaningful foothold in a PII-rich environment, PoA is high because they are strongly incentivized to move quickly to discover, exfiltrate, and encrypt valuable data to maximize extortion leverage. The presence of exfiltrated PII and posted samples on a dark web portal indicates that, when contact becomes substantive, the actor follows through with data theft and ransom operations rather than disengaging.

Threat Capability (TCap)

TCap is high, as the attack demonstrates the ability to compromise a production environment, identify and access sensitive PII, exfiltrate that data, and execute a successful ransomware operation against a live business.

Exploit sophistication: The compromise of a casino’s network and subsequent exfiltration of structured identity data imply at least moderately sophisticated intrusion skills, including the ability to navigate internal systems and locate high-value files.

Bypass ability: Successful unauthorized access and large-scale PII compromise indicate the actors could evade or work around existing preventive and detective controls long enough to stage and exfiltrate data.

Tooling maturity: Established ransomware groups typically maintain reusable tooling for intrusion, exfiltration, and encryption, as well as leak-site infrastructure; the dark web portal and staged screenshots suggest a mature operational toolkit.

Campaign success rate: While not every intrusion attempt will succeed, the presence of at least one confirmed compromise with PII exposure indicates a nontrivial success rate against similarly configured targets.

Attack path sophistication: The attack path likely included initial compromise, privilege escalation or lateral movement, data repository discovery, exfiltration, and ransomware deployment, reflecting a multi-step, coordinated intrusion rather than a simple one-step compromise.

Cost to run attack: For a professional ransomware group, the marginal cost of running additional campaigns against similar targets is moderate, given shared infrastructure, tooling, and playbooks; the potential ransom and data-monetization upside makes such operations highly feasible.

Control Strength (CS)

Typical casinos and hospitality operators have a mix of legacy systems, third-party services, and regulatory obligations that drive some security controls. Still, the success of this incident suggests control strength was only moderate relative to the threat capability. Network compromise, data exfiltration, and successful ransomware deployment all indicate limitations in preventive, detective, and response capabilities.

Resistive Strength (RS) Effectiveness of preventive/detective controls:

• Existing network and endpoint protections did not prevent an unauthorized third party from compromising the network environment, implying gaps in access control, segmentation, or endpoint protection.

• The organization detected a “data security incident”. It activated its response plan, suggesting some monitoring and incident-response capabilities were in place, though they were insufficient to prevent exfiltration of PII.

• Engagement of third-party cybersecurity experts and subsequent hardening steps indicate that prior safeguards were incomplete or not tuned to withstand a capable ransomware group.

Control Failure Rate

• An unauthorized party was able to access files containing PII, indicating insufficient access control, data segmentation, or encryption of sensitive customer records.

• The exfiltration and later posting of PII on the leak site suggest monitoring, DLP, or egress-control limitations that allowed large volumes of sensitive data to leave the environment undetected or too late to prevent exposure.

• The successful ransomware operation implies weaknesses in backup resilience, endpoint hardening, or least-privilege enforcement that allowed actors to encrypt or otherwise compromise critical systems.

Susceptibility

Given the high threat capability and only moderate overall control strength, susceptibility for a similar organization is estimated at approximately 60 percent, meaning that when a capable ransomware group meaningfully engages the environment, there is a substantial chance that assets will be harmed.

Probability the asset will be harmed is influenced by:

Exploitability: Estimated at around 60–70 percent, as ransomware crews routinely exploit unpatched systems, weak remote access controls, or social engineering to gain footholds in PII-rich environments.

Attack surface: Casinos and hospitality operators typically expose multiple services (hotel booking, loyalty programs, payment systems), creating a broad attack surface that increases the chance that at least one path is exploitable.

Exposure conditions: The interconnected nature of gaming, hotel, and back-office systems, combined with third-party integrations, increases exposure if segmentation is weak or monitoring is limited.

Patch status: The OSINT does not specify the vulnerability path; however, successful ransomware intrusion often correlates with inconsistent patch management and legacy systems, reducing resistance unless specifically addressed.

Numerical Frequencies and Magnitudes

All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.

Loss Event Frequency (LEF)

.8/year (estimated)

• Justification: TEF for serious ransomware–plus–exfiltration events is approximated at 2/year for a comparable PII-rich entertainment operator, with vulnerability (probability of harm per meaningful contact) around 0.4, yielding roughly 0.8 realized loss events per year on average.

Vulnerability (probability of harm per contact): .4

• Justification: Not every contact or intrusion attempt results in both data theft and disruptive ransomware, but demonstrated compromise indicates a significant success rate when actors gain a foothold.

Secondary Loss Event Frequency

0.4/year (estimated)

• Justification: Not all primary compromises lead to secondary events such as regulatory penalties, lawsuits, or significant customer churn, but identity-data breaches frequently trigger such outcomes; assuming roughly half of primary events escalate to secondary loss yields 0.4 per year.

Loss Magnitude

Estimated range:

• Min: $50,000

• Most Likely: $400,000

• Maximum: $2,500,000

Justification:

• Minimum reflects internal investigation, containment, limited restoration, and basic notification efforts even for a relatively minor incident.

• Most likely includes extended incident response and forensics, broader notification costs, 12-month credit monitoring for affected individuals, legal counsel, and operational disruption.

• Maximum represents a large-scale event with extensive data exposure, significant operational disruption, and high incident-response and restoration costs, but without assuming catastrophic fines or class-action settlements.

Secondary Loss Magnitude (SLM)

Estimated range:

• Min: $100,000

• Most Likely: $1,000,000

• Maximum: $5,000,000

Justification:

• Secondary losses include regulatory investigations, potential fines or settlements, litigation, reputational damage that drives customer attrition, and increased costs of capital or insurance.

• Maximum bounds account for higher-impact regulatory or legal outcomes and more pronounced reputational harm for a regional entertainment brand that depends heavily on customer trust.

Mapping, Controls, and Modeling

MITRE ATT&CK Mapping

Collection

T1005 – Data from Local System

Reference: “The investigation determined that certain files containing personal information (PII) could have been compromised. Impacted data elements vary for each individual – the following personal information for your state’s residents could have been impacted by this incident: name, Social Security number, date of birth, and drivers license number.”

Exfiltration

T1567.003 – Exfiltration to Exfiltration Site

Reference: “The breach was allegedly carried out through a ransomware attack attributed to the Qilin group… Qilin claimed responsibility for the attack and posted sample screenshots of the stolen data on their dark web portal on Sept. 8, 2025, indicating that the compromised information may have been exposed to malicious actors.”

Impact

T1486 – Data Encrypted for Impact

Reference: “Running Aces Casino, Hotel & Racetrack… recently experienced a significant data breach involving sensitive customer information. The breach was allegedly carried out through a ransomware attack attributed to the Qilin group, a known cybercriminal organization.”

NIST 800-53 Affected Controls

AC-3 — Access Enforcement

Unauthorized compromise of the network environment.

Reference: “On August 14, 2025, RA detected a data security incident in which an unauthorized third party compromised RA’s network environment.” This activity directly challenges AC-3’s objective to ensure that only authorized subjects can access systems and data, indicating that access enforcement controls were bypassed or insufficient to prevent an intruder from reaching sensitive assets.

SI-4 — System Monitoring

Detection of a data security incident after compromise.

Reference: “On August 14, 2025, RA detected a data security incident in which an unauthorized third party compromised RA’s network environment.” The fact that a compromise occurred but was eventually detected implies that system monitoring was present but not sufficiently robust to prevent or detect malicious activity before sensitive files were accessed and exfiltrated, highlighting the importance of strong, continuous monitoring as required by SI-4.

IR-4 — Incident Handling

Execution of incident response and containment activities.

Reference: “RA immediately initiated its response plan, began measures to contain and mitigate the incident, engaged additional third-party experts, enhanced its data security, and commenced an investigation.” These actions align with IR-4’s requirement to implement incident handling that includes preparation, detection, and analysis; containment, eradication, and recovery; and the need for such a response underscores that pre-incident controls were insufficient to prevent a breach of PII.

IR-6 — Incident Reporting

Regulatory notification and communication to affected individuals.

Reference: “Notification letters will be mailed to these individuals which will provide information regarding this incident… RA also notified law enforcement regarding this incident… The incident was first discovered on Aug. 14, 2025, and was later disclosed in a notice to the Idaho Attorney General on Nov. 24, 2025.” These activities reflect the requirements in IR-6 to report incidents to designated authorities and stakeholders; the breach pressures organizations to ensure their reporting processes and timelines meet legal and policy expectations.

CP-10 — System Recovery and Reconstitution

Recovery after compromise by ransomware.

Reference: “RA immediately initiated its response plan, began measures to contain and mitigate the incident, engaged additional third-party experts, enhanced its data security, and commenced an investigation.” A ransomware incident that compromises operational systems and data stresses CP-10’s objective of recovering and reconstituting systems to a known good state after disruption or compromise, and highlights the need for tested recovery capabilities to restore business operations and data integrity following such attacks.

AU-6 — Audit Record Review, Analysis, and Reporting

Use of logs and investigation to determine the scope and affected individuals.

Reference: “Once potentially impacted files were identified, RA undertook a detailed and time-consuming review of those files to determine which may potentially contain PII. RA then engaged a specialized data review expert to review that data and identify individuals whose PII may have been accessed or acquired by the unauthorized party.” This post-incident analysis depends on effective logging and record review as required by AU-6; the extensive review effort illustrates both the importance of meaningful audit data and the potential strain when logging and data classification are not optimized before a breach occurs.

Monitoring, Hunting, Response, and Reversing

Monitoring

Monitoring should prioritize end-to-end visibility around unauthorized access to PII stores and ransomware staging by aggregating telemetry from network (east–west and egress flows, VPN and remote access), endpoints and servers (process creation, file access, encryption-like behavior), identity (authentication, privilege escalation, anomalous account use), email (phishing leads), and DNS/proxy (suspicious domains and data-transfer patterns), with cloud and SaaS logs included wherever customer data or backups reside. Logging levels on systems holding PII and backups should be raised to capture detailed file access, permission changes, mass read/write, encryption-like I/O, and large outbound transfers, with retention sufficient to reconstruct multi-week campaigns. Key indicators include anomalous access to identity-data tables or file shares, sudden spikes in file modifications or compress/encrypt utilities, unusual authentication from new locations or devices, data moving to unfamiliar external endpoints, and any host contacting known ransomware leak-site or C2 infrastructure. Gaps exposed by the incident include insufficient visibility into which accounts accessed PII, limited egress and DLP monitoring, and inadequate telemetry from backup infrastructure. Correlation logic should link abnormal logins to PII access and outbound data volumes, alert on combinations such as privileged access plus large file reads plus atypical egress, and set lower thresholds for systems tagged as “identity-data critical,” while tuning to suppress expected batch or backup jobs. Dashboards should surface PII-access anomalies by system and account, ransomware-behavior scores by host, exfiltration risk by segment, and time-to-detection metrics, and validation should use tabletop or simulated attacks (e.g., test hosts performing scripted mass access and mock exfiltration) to confirm that alerts fire at the intended sensitivity and that analysts can quickly identify and scope a similar intrusion.

Hunting

Hunting should start from the hypotheses that a financially motivated group has obtained unauthorized access to internal systems storing PII, staged or executed encryption, and exfiltrated data to external infrastructure, and that similar tradecraft may persist undetected in adjacent environments. Analysts should pivot across endpoint, network, identity, DNS, email, and any cloud-storage telemetry to search for patterns such as unusual access to PII repositories, suspicious archiving or encryption utilities running on servers, anomalous logins to privileged accounts, and outbound connections or data flows to rare destinations that align with leak-site or exfil behavior. Detection logic for hunts should focus on behavioral signatures such as mass file access on PII shares, rapid read–compress–delete sequences, anomalous RDP or remote-management use on data servers, and large or time-skewed transfers from PII segments, rather than on fixed indicators alone. Noise-to-signal management will require scoping hunts to tagged “high-value PII systems,” excluding known backup and ETL jobs, and iteratively tuning queries so that routine operations do not drown out rare patterns resembling staging or execution of ransomware, plus data theft.

Response

Response should be guided by complete visibility into authentication logs, file and database access records for PII stores, endpoint process and persistence telemetry on compromised hosts, network captures for exfiltration windows, and backup and recovery logs to determine what was encrypted, restored, or lost. Expected artifacts include accounts used for unauthorized access, systems that touched PII during the intrusion window, traces of data collection and staging (archives or temporary storage), possible encryption tooling and ransom notes, and evidence of outbound transfers to external infrastructure. Even if no explicit anti-forensic behavior is described, responders should assume possible log tampering, artifact deletion, or time-stomping on compromised hosts and validate the integrity of key logs accordingly. Reconstruction should build a timeline from initial unauthorized access through privilege changes, PII data discovery and access, exfiltration actions, and any encryption events, using DFIR findings to refine FAIR loss estimates for event frequency, scope of records affected, and likely primary and secondary loss ranges. Likely containment will involve isolating affected systems and network segments, disabling or rotating compromised accounts and credentials, blocking malicious destinations, validating backups, and selectively rebuilding systems that processed PII. Priority artifacts include identity logs for privileged accounts accessing PII, file and database access logs on identity-data systems, exfiltration-related network and DNS logs, and backup job records to confirm whether PII and restore points were affected. Telemetry requirements exposed by the case include stronger logging and tagging of PII assets, more explicit linkage between identity events and data access, and better instrumentation at egress points. At the same time, DFIR validation should use post-incident red-teaming or controlled simulations to ensure that similar attacks are detected sooner and to leave sufficient evidence for rapid scoping and improved FAIR modeling.

Reverse Engineering

Where ransomware or tooling samples are available, reverse engineering should focus on how the loader discovers PII repositories and file shares, how it packages and stages data for exfiltration, and how it initiates encryption on targeted systems, so defenders can map behaviors to concrete detections. Analysts should document evasion techniques such as checks for specific processes, attempts to circumvent standard endpoint controls, throttled encryption to avoid behavioral heuristics, or selective targeting to minimize operational noise. Persistence mechanisms, including services, scheduled tasks, and registry and configuration changes, that ensure ongoing access to PII systems should be cataloged to support hardening and post-incident cleanup. Indicators should include file names, process behaviors, mutexes, protocol usage, file-extension patterns, and any distinctive network beacons or handshake sequences used during staging and exfiltration of data to external infrastructure. Dynamic analysis hooks should prioritize file I/O patterns on PII-like structures, process-tree behavior around archiving and encryption modules, and outbound connections to command, staging, or leak infrastructure. In contrast, static analysis should map configuration blocks, hard-coded targets, and modular components to indicate how easily the tooling can be adapted to other environments. Additional reverse engineering work should explore whether the malware distinguishes between operating systems and PII repositories, whether it includes logic to disable backups or shadow copies, and how configuration and encryption keys are managed, thereby enabling more precise detections, response playbooks, and updated FAIR assumptions about threat capability and likely impact.

CTI

CTI recommendations should align PIRs to confirm whether the actor is systematically targeting casinos, hospitality, and entertainment organizations in relevant geographies or partner ecosystems, how often similar ransomware-plus-exfiltration campaigns recur against PII-rich operators, which TTPs (e.g., data discovery, exfiltration, encryption, leak-site publication) are consistently observed, and which specific assets, such as customer databases, loyalty-program systems, or backup environments, are repeatedly in scope. SIR evaluation should prioritize filling gaps in IOC coverage (infrastructure, malware hashes, leak-site references), acquiring representative samples of the ransomware and any associated tools, mapping relationships among infrastructure used for intrusion, exfiltration, and data exposure, clarifying attribution confidence for this and related events, and specifying what logs and telemetry (identity, data access, egress) are needed to validate suspected activity internally. Collection efforts should systematically monitor vendor and regulator reporting, security blogs, and technical OSINT; maintain internal telemetry feeds tagged for PII systems; participate in sector ISAC/ISAO sharing; track dark-web channels and leak sites associated with relevant groups; leverage malware repositories and sandbox analysis; and ensure network and endpoint data for PII segments is retained at a depth that supports threat intelligence and DFIR. Mapping and analytic work should cluster infrastructure and campaigns to see whether this incident fits into a broader pattern, map observed behaviors to ATT&CK for consistent TTP tracking, compare with historical incidents to understand trend lines in targeting and capability, and explicitly rate confidence in all analytic judgments while identifying where further evidence is needed to validate or refute existing hypotheses about actor focus, recurrence, and likely future impact.

GRC and Testing

Governance

Governance should focus on tightening policies and oversight around the protection of PII and resilience against ransomware by ensuring data classification, access control, monitoring, backup, and incident-response policies explicitly cover high-value customer identity systems and backup environments, with clear ownership and escalation paths. Oversight functions (risk committee, security steering group, data-privacy office) should review the Qilin-style scenario at least annually, verify that RA-family risk assessments incorporate updated TEF/LEF and loss ranges, and ensure PM and PL family governance documents (security program plans, system security plans, continuity plans) explicitly model a combined exfiltration-plus-encryption event impacting PII. The risk register should add or update entries for “ransomware with PII exfiltration against casino/hospitality operations,” including drivers, controls, residual risk, and planned remediation. It should link to monitoring, incident handling, and recovery gaps already observed. Board and executive communication should standardize scenario-based reporting: concise updates on current ransomware and data-theft exposure, status of key NIST 800-53 control families (AC, SI, IR, CP, AU, PL, PM, RA), readiness to meet regulatory and customer-notification obligations, and tracking of agreed risk-treatment actions with deadlines and accountable owners.

Audit and Offensive Security Testing

Audit and offensive security testing should explicitly trace prior findings to the Qilin-style threat, emphasizing whether weaknesses in access enforcement, monitoring, segmentation, backup protection, and incident handling align with what the incident exposed, and where evidence gaps (missing logs, unclear data flows, weak data lineage) leave the organization blind to similar intrusions. Internal and external audits should test that policies and controls for PII protection, ransomware response, and regulatory reporting are implemented and effective, not merely documented, with specific attention to AC-3, SI-4, AU-6, IR-4, IR-6, and CP-10 equivalents. Red-team exercises should attempt full-chain scenarios (initial foothold, lateral movement to PII stores, data staging, exfiltration, and simulated encryption) to validate real-world exploitability and response. At the same time, purple-team engagements translate each step into tuned detections and playbooks. Penetration-testing scope should prioritize systems and networks holding PII and backups, third-party integrations, and egress paths, with explicit goals to reproduce access to identity data and to test whether exfiltration or encryption attempts are detected and contained. All tests should end with clear control-validation outcomes, mapping exploited weaknesses and successful detections back to controls and risk scenarios so governance, operations, and FAIR modeling stay aligned.

Awareness Training

Awareness training should assume that both human behavior and technical weaknesses can contribute to ransomware-plus-exfiltration events and aim to reduce susceptibility by making staff more alert to behaviors that precede compromise and data theft, even where the precise initial vector is not known. Training content should emphasize careful handling of systems that handle customer identity data, recognizing unusual access requests, unexpected prompts to handle bulk data, atypical remote-access activity, and any urgent requests that could be precursors to misuse of privileged access. Role-specific modules should emphasize least-privilege and data-handling discipline for admins, fraud and identity-risk awareness for finance and loyalty-program staff, privacy and incident-escalation cues for customer-facing staff, and scenario-based decision-making for executives around ransom, disclosure, and communication. Updated simulations should mirror realistic high-risk interactions in the casino/hospitality context (e.g., unusual remote access to back-office systems, suspicious vendor or partner requests, changes to processes involving customer identity data) rather than relying solely on generic phishing. They should be paired with clear guidance on when and how to escalate concerns. Training programs should include regular reinforcement cycles, track metrics such as simulation performance, reporting rates, and repeat offenders, and feed those results back into FAIR susceptibility estimates and control-strength assumptions so human-layer risk is treated as a measurable, adjustable component of overall exposure.