Adult nightclub operator RCI Hospitality Holdings has confirmed that a data breach first disclosed in April affects approximately 40,000 individuals. The incident stemmed from an insecure direct object reference (IDOR) flaw in an IIS web server operated by subsidiary RCI Internet Services, exposing sensitive personal information belonging to independent contractors. The FBI has been notified and the company says it will cooperate with any resulting investigation.
What Happened
On March 23, RCI Internet Services discovered an insecure direct object reference vulnerability in one of its IIS web servers. The flaw allowed unauthenticated parties to access records belonging to other users simply by modifying identifiers in URLs or requests. RCI initially reported the incident to the SEC in mid-April, describing the impact as affecting "numerous" independent contractors. A forensic review of the stolen files was completed on May 13, and this week RCI informed the Maine Attorney General that the final tally exceeds 40,000 affected individuals. No ransomware group has publicly claimed responsibility, and the identity of the threat actor remains unknown.
What Was Taken
The compromised records contain a high-value combination of identity data suitable for fraud and synthetic identity creation. Exposed information includes:
- Full names
- Contact information
- Dates of birth
- Social Security numbers
- Driver's license numbers
The affected population consists primarily of independent contractors associated with RCI's nightclub, sports bar, and dance club operations. Given the adult entertainment context, the reputational and privacy harm to victims extends beyond standard PII exposure scenarios.
Why It Matters
This breach is a textbook reminder that application logic flaws can be just as damaging as memory corruption or credential theft. IDOR vulnerabilities consistently rank among the OWASP Top 10 access control failures, yet they remain widespread in production web applications because they evade signature-based scanners and require business-context awareness to detect. The 40,000-record disclosure also highlights regulatory exposure: state attorneys general, the SEC, and the FBI are all now in the loop, and the sensitive nature of the victim population, adult entertainment contractors, magnifies the potential for downstream harassment, extortion, and identity fraud campaigns.
The Attack Technique
IDOR exploitation requires no malware, no phishing, and no zero-day. An authenticated or even unauthenticated user simply manipulates a parameter, such as changing "account=101" to "account=102" in a URL, to retrieve another user's data. Because the request is structurally valid, web application firewalls and intrusion detection systems typically do not flag the traffic as malicious. In RCI's case, the vulnerable endpoint sat on an IIS web server operated by its internet services subsidiary, suggesting a contractor-facing portal lacked proper object-level authorization checks. Attackers can automate enumeration of sequential identifiers to scrape entire datasets within hours.
What Organizations Should Do
- Audit all web-facing applications for missing object-level authorization checks, particularly endpoints that accept numeric or guessable identifiers in URLs, headers, or request bodies.
- Enforce server-side authorization on every record retrieval, verifying that the authenticated session owns or has explicit permission to access the requested object.
- Replace sequential integer identifiers with unguessable UUIDs or signed tokens to raise the cost of enumeration attacks.
- Implement rate limiting and anomaly detection on data-access endpoints to surface scraping behavior, even when individual requests appear legitimate.
- Mandate threat modeling and authorization-focused code review for any portal handling contractor, customer, or employee PII.
- Maintain an incident response playbook that includes SEC, state AG, and FBI notification workflows, with predefined timelines for forensic review completion.
Sources: Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals - SecurityWeek