Adult nightclub giant RCI Hospitality Holdings has informed authorities that a data breach disclosed in April affects roughly 40,000 individuals.
RCI Hospitality is one of the largest adult nightclub operators in the United States, and its portfolio also includes sports bars and dance clubs.
The company told the SEC in mid-April that its RCI Internet Services subsidiary discovered an insecure direct object reference (IDOR) vulnerability on March 23 in an IIS web server, allowing unauthorized access to personal information.
IDOR vulnerabilities can be exploited by an attacker to access data by changing a value in a URL or a request. For instance, a user logged into ‘account=101’ can change the URL to ‘account=102’ and access another user’s private information.
RCI said at the time that the information of “numerous” independent contractors was exposed, including names, contact information, dates of birth, SSNs, and driver’s license numbers.
Notification letters sent to affected individuals indicate that a review of the stolen files was completed on May 13. The FBI has been informed and RCI says it will cooperate with any resulting investigation.
The company told the Maine Attorney General this week that more than 40,000 individuals are affected.
It’s unclear who was behind the attack. No known ransomware group appears to have taken credit for hacking RCI.
Related: IMA Diligence Services Data Breach Impacts 525,000 People
Related: California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach
Related: Charter Communications Data Breach Could Impact Nearly 5 Million
