Cyber Incident Victim: RCI Hospitality Holdings
Date:
Mar 2026
Location:
United States of America
Summary
RCI Hospitality Holdings disclosed a cybersecurity incident in which an insecure direct object reference vulnerability in an IIS web server at its RCI Internet Services subsidiary allowed unauthorized access to personal information of numerous independent contractors, including names, dates of birth, contact details, Social Security numbers and driver’s license numbers. The company stated that no customer data or financial systems were accessed, the information has not been publicly disseminated, and business operations remain unaffected with no anticipated material impact. While no known cybercrime group has claimed responsibility, the possibility that the activity originated from a security researcher was noted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19 2026 an insecure direct object reference (IDOR) vulnerability in an IIS web server used by RCI Hospitality Holdings’ RCI Internet Services subsidiary was first exploited, allowing an unauthorized actor to access personal information stored on the server. The subsidiary discovered the breach on March 23 2026 and launched an investigation that was concluded earlier in April 2026, with the company filing a formal disclosure with the Securities and Exchange Commission on April 14 2026. The vulnerability permitted access simply by altering an identifier in a web request, enabling the attacker to retrieve records without proper authorization checks. According to the SEC filing, the exposed data included names, dates of birth, contact information, Social Security numbers, and driver’s license numbers of numerous independent contractors associated with the company. RCI Hospitality emphasized that no customer information, financial systems, or other business‑critical data were accessed during the incident. The company also stated that its business operations continued unaffected and that it does not anticipate the breach will have a material financial impact.
The exact number of individuals affected has not been disclosed, with RCI describing the impacted group only as “numerous” independent contractors. To the company’s knowledge, the unauthorized actor has not publicly disseminated the compromised data, and no known cybercrime group has claimed responsibility for the intrusion. While the breach was characterized as unauthorized access, the article notes a small possibility that the activity could be related to security researchers, though no evidence or attribution is provided. RCI Hospitality reported that it has cooperated with the investigation and has informed the SEC of the incident’s details, but the filing does not specify any additional remedial steps such as direct notifications to affected individuals or public outreach efforts.
In its SEC filing, RCI Hospitality indicated that it does not believe the incident will result in material harm to the company and that it will continue to monitor the situation, concluding its statement with a note that the breach’s overall effect on operations remains negligible.