RCI Hospitality Faces Data Breach Exposing Sensitive Info

RCI Hospitality Faces Data Breach Exposing Sensitive Info

Posted on By CWS

RCI Hospitality Holdings, a prominent player in the adult nightclub industry, has reported a significant cybersecurity breach that compromised sensitive personal data. The incident was disclosed in a recent SEC filing, indicating a serious vulnerability in the company’s web systems.

Details of the Security Breach

The breach was traced back to March 19 and was discovered by the company’s subsidiary, RCI Internet Services, on March 23. An insecure direct object reference (IDOR) vulnerability within an IIS web server was identified as the culprit, enabling unauthorized access to sensitive information.

An investigation that concluded this month confirmed the breach impacted numerous independent contractors. Exposed data included names, birth dates, contact details, Social Security Numbers, and driver’s license numbers.

Impact on Business and Customers

According to RCI, there is no evidence that the compromised data has been publicly leaked, and the breach did not affect customer information or the company’s financial systems. Additionally, the company assured that its operations remain unaffected, with no anticipated material impact from the incident.

Despite the breach, the exact number of affected individuals remains unclear. RCI Hospitality operates a substantial network of adult nightclubs across the United States, including well-known brands like Rick’s and Tootsie’s, along with sports bars and dance clubs.

Understanding IDOR Vulnerabilities

IDOR vulnerabilities allow attackers to access unauthorized data by altering a web link or request. This flaw occurs when web applications use identifiers such as account numbers to fetch records without verifying user permissions. Consequently, attackers can change these parameters to access private information.

Although no cybercrime group has claimed responsibility for this attack, RCI’s characterization of the incident as ‘unauthorized access’ leaves room for speculation about possible involvement from security researchers. Past instances have shown that organizations sometimes label legitimate security research activities as unauthorized access, particularly during disputed vulnerability disclosures.

SecurityWeek is in contact with RCI Hospitality for further clarification, promising updates if more information becomes available.

Security Week News Tags:, , , , , , , , ,

Related Posts

Chrome 140 Update Patches Sixth Zero-Day of 2025 Chrome 140 Update Patches Sixth Zero-Day of 2025 Security Week News
Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls Security Week News
Adobe Patches Critical Apache Tika Bug in ColdFusion Adobe Patches Critical Apache Tika Bug in ColdFusion Security Week News
Vulnerabilities Expose Helmholz Industrial Routers to Hacking Vulnerabilities Expose Helmholz Industrial Routers to Hacking Security Week News
Veeam to Acquire Data Security Firm Securiti AI for .7 Billion Veeam to Acquire Data Security Firm Securiti AI for $1.7 Billion Security Week News
Critical Dolby Vulnerability Patched in Android Critical Dolby Vulnerability Patched in Android Security Week News