RCI Hospitality Says Data Breach Exposed Information of 40,000 Individuals
RCI Hospitality Holdings has disclosed that a data breach first reported in April impacted approximately 40,000 individuals.
The company, one of the largest operators of adult entertainment venues in the United States, also owns a portfolio of sports bars and dance clubs.
In a filing with the U.S. Securities and Exchange Commission (SEC) in April, RCI revealed that its subsidiary, RCI Internet Services, discovered an Insecure Direct Object Reference (IDOR) vulnerability in an IIS web server on March 23. The flaw allowed unauthorized parties to access personal information stored on the system.
IDOR vulnerabilities occur when applications fail to properly validate user permissions, enabling attackers to access data by modifying values within URLs or requests.
RCI previously stated that the exposed data belonged to numerous independent contractors and included names, contact information, dates of birth, Social Security numbers, and driver's license details.
According to notification letters sent to affected individuals, the company's review of the compromised files was completed on May 13. The Federal Bureau of Investigation (FBI) has been notified, and RCI says it will cooperate with any law enforcement investigation.
This week, the company informed the Maine Attorney General's Office that more than 40,000 individuals were affected by the incident.
The identity of the attacker remains unknown, and no ransomware group or other threat actor has publicly claimed responsibility for the breach.
