Based on the OP, I would have to say incredibly stupid IT dept, IT security and network teams even more so. If they can get into the aqua controller, and it's on a common subnet then they didn't isolate a vulnerable portion of their network. That means the hackers could have had access to the entire casino and potentially casino's holding company's intranet. Casino's should have at least level 4-4.4 security on their network. Stupid may not be a strong enough word here.