← All articles

Nightclub operator RCI breach exposes 40,000 records via website IDOR flaw

RCI Hospitality, one of the largest US adult-nightclub operators, has confirmed that a breach exposed the personal data of 40,178 people, mostly independent contractors. Attackers got in through an insecure direct object reference (IDOR) flaw on one of the company's IIS web servers, a common web bug where simply changing an ID number in a web address lets you pull up someone else's record. The intrusion began March 19 and was spotted four days later. Stolen data includes names, dates of birth, Social Security numbers, and driver's license numbers. RCI says no customer or financial systems were touched, and the data has not yet appeared publicly.

Check
If you received an RCI breach notice or worked with RCI, watch for identity fraud. Developers should test their own web apps for IDOR by altering record IDs in authenticated requests.
Affected
Roughly 40,178 people, mostly independent contractors of RCI Hospitality, whose names, birth dates, Social Security numbers, and driver's license numbers sat in the breached IIS web server.
Fix
Affected individuals should enroll in any offered credit monitoring and freeze their credit. Similar orgs should add server-side authorization checks on every object reference and pen-test for IDOR.