ACCORDING to the SEC filing, adult nightclub operator RCI Hospitality Holdings disclosed that an insecure direct object reference (IDOR) vulnerability in its RCI Internet Services subsidiary allowed access to personal information. The company said the vulnerability was discovered on 23 March 2026, and an investigation found the incident began on 19 March 2026.
The data breach involved unauthorized access to information belonging to numerous independent contractors, including names, dates of birth, contact information, SSNs and driver’s licence numbers. None of the company’s customer information or financial systems were accessed, and the firm stated that its operations were not affected and it does not believe there will be a material impact.
It remains unclear how many individuals were affected, though RCI Hospitality is described as one of the largest adult nightclub operators in the United States, with brands such as Rick’s and Tootsie’s and a portfolio that includes sports bars and dance clubs. There has been no claim of responsibility from a known cybercrime group, and the article notes the possibility that the incident could be related to security researchers.