RCI Hospitality Faces Data Breach Exposing Sensitive Info

RCI Hospitality Faces Data Breach Exposing Sensitive Info

Posted on By CWS

RCI Hospitality Holdings, a prominent player in the adult nightclub industry, has reported a significant cybersecurity breach that compromised sensitive personal data. The incident was disclosed in a recent SEC filing, indicating a serious vulnerability in the company’s web systems.

Details of the Security Breach

The breach was traced back to March 19 and was discovered by the company’s subsidiary, RCI Internet Services, on March 23. An insecure direct object reference (IDOR) vulnerability within an IIS web server was identified as the culprit, enabling unauthorized access to sensitive information.

An investigation that concluded this month confirmed the breach impacted numerous independent contractors. Exposed data included names, birth dates, contact details, Social Security Numbers, and driver’s license numbers.

Impact on Business and Customers

According to RCI, there is no evidence that the compromised data has been publicly leaked, and the breach did not affect customer information or the company’s financial systems. Additionally, the company assured that its operations remain unaffected, with no anticipated material impact from the incident.

Despite the breach, the exact number of affected individuals remains unclear. RCI Hospitality operates a substantial network of adult nightclubs across the United States, including well-known brands like Rick’s and Tootsie’s, along with sports bars and dance clubs.

Understanding IDOR Vulnerabilities

IDOR vulnerabilities allow attackers to access unauthorized data by altering a web link or request. This flaw occurs when web applications use identifiers such as account numbers to fetch records without verifying user permissions. Consequently, attackers can change these parameters to access private information.

Although no cybercrime group has claimed responsibility for this attack, RCI’s characterization of the incident as ‘unauthorized access’ leaves room for speculation about possible involvement from security researchers. Past instances have shown that organizations sometimes label legitimate security research activities as unauthorized access, particularly during disputed vulnerability disclosures.

SecurityWeek is in contact with RCI Hospitality for further clarification, promising updates if more information becomes available.

Security Week News Tags:, , , , , , , , ,

Related Posts

Dozens of Major Data Breaches Linked to Single Threat Actor Dozens of Major Data Breaches Linked to Single Threat Actor Security Week News
Verisoul Raises .8 Million for Fraud Prevention Verisoul Raises $8.8 Million for Fraud Prevention Security Week News
McDonald’s Chatbot Recruitment Platform Leaked 64 Million Job Applications McDonald’s Chatbot Recruitment Platform Leaked 64 Million Job Applications Security Week News
Fighting the Cyber Forever War: Born Defense Blends Investment Strategy with Just War Principles Fighting the Cyber Forever War: Born Defense Blends Investment Strategy with Just War Principles Security Week News
Black Hat USA 2025 – Summary of Vendor Announcements (Part 1) Black Hat USA 2025 – Summary of Vendor Announcements (Part 1) Security Week News
Chrome 137 Update Patches High-Severity Vulnerabilities Chrome 137 Update Patches High-Severity Vulnerabilities Security Week News