RCI Hospitality Faces Data Breach Exposing Sensitive Info

RCI Hospitality Faces Data Breach Exposing Sensitive Info

Posted on By CWS

RCI Hospitality Holdings, a prominent player in the adult nightclub industry, has reported a significant cybersecurity breach that compromised sensitive personal data. The incident was disclosed in a recent SEC filing, indicating a serious vulnerability in the company’s web systems.

Details of the Security Breach

The breach was traced back to March 19 and was discovered by the company’s subsidiary, RCI Internet Services, on March 23. An insecure direct object reference (IDOR) vulnerability within an IIS web server was identified as the culprit, enabling unauthorized access to sensitive information.

An investigation that concluded this month confirmed the breach impacted numerous independent contractors. Exposed data included names, birth dates, contact details, Social Security Numbers, and driver’s license numbers.

Impact on Business and Customers

According to RCI, there is no evidence that the compromised data has been publicly leaked, and the breach did not affect customer information or the company’s financial systems. Additionally, the company assured that its operations remain unaffected, with no anticipated material impact from the incident.

Despite the breach, the exact number of affected individuals remains unclear. RCI Hospitality operates a substantial network of adult nightclubs across the United States, including well-known brands like Rick’s and Tootsie’s, along with sports bars and dance clubs.

Understanding IDOR Vulnerabilities

IDOR vulnerabilities allow attackers to access unauthorized data by altering a web link or request. This flaw occurs when web applications use identifiers such as account numbers to fetch records without verifying user permissions. Consequently, attackers can change these parameters to access private information.

Although no cybercrime group has claimed responsibility for this attack, RCI’s characterization of the incident as ‘unauthorized access’ leaves room for speculation about possible involvement from security researchers. Past instances have shown that organizations sometimes label legitimate security research activities as unauthorized access, particularly during disputed vulnerability disclosures.

SecurityWeek is in contact with RCI Hospitality for further clarification, promising updates if more information becomes available.

Security Week News Tags:, , , , , , , , ,

Related Posts

Australian Man Sentenced to Prison for Wi-Fi Attacks at Airports and on Flights Australian Man Sentenced to Prison for Wi-Fi Attacks at Airports and on Flights Security Week News
1stProtect Launches with M Funding for Security Innovation 1stProtect Launches with $20M Funding for Security Innovation Security Week News
A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York Security Week News
Reflectiz Raises Million for Website Security Solution Reflectiz Raises $22 Million for Website Security Solution Security Week News
Data Exposure Vulnerability Found in Deep Learning Tool Keras Data Exposure Vulnerability Found in Deep Learning Tool Keras Security Week News
Vodafone Germany Fined Million Over Privacy, Security Failures Vodafone Germany Fined $51 Million Over Privacy, Security Failures Security Week News