[{"data":1,"prerenderedAt":125},["ShallowReactive",2],{"article-slug-rci-hospitality-discloses-data-breach-exposing-contractor-information":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":15,"entities":16,"cves":28,"sources":29,"events":55,"mitre_techniques":65,"mitre_mitigations":74,"d3fend_countermeasures":94,"iocs":95,"cyber_observables":96,"tags":108,"extract_datetime":113,"article_type":114,"impact_scope":115,"pub_date":123,"reading_time_minutes":124,"createdAt":113,"updatedAt":113},"51317af1-1d94-4d1a-a236-3b58996c7128","rci-hospitality-discloses-data-breach-exposing-contractor-information","RCI Hospitality Data Breach Exposes Sensitive Information of Contractors","RCI Hospitality Discloses Data Breach Resulting from IDOR Vulnerability","RCI Hospitality Holdings, a major operator of nightclubs and sports bars, has reported a data breach that exposed the personal information of its independent contractors. The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability on one of its web servers. The exposed data includes names, Social Security numbers, and driver's license numbers. The company has since secured the server and is notifying affected individuals.","## Executive Summary\n**[RCI Hospitality Holdings, Inc.](https://www.rcihospitality.com/)**, a leading operator in the adult nightclub and sports bar industry, has disclosed a data breach that exposed the sensitive personal data of its independent contractors. According to a filing with the U.S. Securities and Exchange Commission (SEC), the incident was caused by an Insecure Direct Object Reference (IDOR) vulnerability on a **[Microsoft Internet Information Services (IIS)](https://www.iis.net/)** web server. An unauthorized actor exploited this common web application flaw in March 2026 to access data including Social Security numbers. The company asserts that customer data and business operations were not affected.\n\n---\n\n## Vulnerability Details\nThe root cause of the breach was an **Insecure Direct Object Reference (IDOR)** vulnerability. IDOR is a type of access control flaw where an application uses user-supplied input to access objects directly. In this case, an attacker was likely able to manipulate a parameter in a URL or API request (e.g., changing `?contractor_id=123` to `?contractor_id=124`) to cycle through and access the records of other contractors without proper authorization checks.\n\n-   **Vulnerability Type:** Insecure Direct Object Reference (IDOR)\n-   **Affected System:** A **[Microsoft Internet Information Services (IIS)](https://www.iis.net/)** web server run by subsidiary RCI Internet Services, Inc.\n-   **Incident Timeline:**\n    -   March 19, 2026: Breach begins.\n    -   March 23, 2026: Breach discovered.\n    -   April 7, 2026: Investigation concludes.\n\n## Impact Assessment\nThe breach resulted in the unauthorized access to a range of sensitive Personally Identifiable Information (PII) belonging to independent contractors. The exposed data includes:\n-   Names\n-   Dates of Birth\n-   Social Security Numbers (SSNs)\n-   Driver's License Numbers\n-   Contact Information\n\nThis places the affected individuals at a high risk of identity theft, financial fraud, and other malicious activities. While **[RCI Hospitality](https://www.rcihospitality.com/)** stated that customer data was not impacted and that the data has not been publicly disseminated, the potential for misuse of the stolen contractor data remains significant.\n\n## Detection & Response\nDetecting IDOR exploitation requires careful monitoring of application behavior:\n1.  **Code Analysis:** The best detection is proactive, through static (SAST) and dynamic (DAST) application security testing during the development lifecycle to identify and fix IDOR flaws before deployment.\n2.  **Log Analysis (D3-RAPA: Resource Access Pattern Analysis):** Monitor web server logs for suspicious access patterns. For example, a single IP address rapidly requesting a series of resources by incrementing an ID in the URL is a strong indicator of an IDOR scanning attempt.\n3.  **Authorization Monitoring:** Implement monitoring that checks if a user's session is authorized to access the specific data object they are requesting and alert on any failures.\n\n## Mitigation\n1.  **Secure Coding Practices (M1013 - Application Developer Guidance):** The primary mitigation for IDOR is to never rely on user-supplied input for direct object access. Instead of `id=123`, use indirect reference maps or verify on the server-side that the logged-in user (`session.user_id`) is authorized to access the requested object (`requested_object.owner_id`).\n2.  **Centralized Access Control:** Implement and enforce a centralized access control mechanism that is checked on every single request to a data object, rather than relying on the presentation of a URL.\n3.  **Web Application Firewall (WAF):** While not a complete solution, a WAF can be configured with rules to detect and block simple, sequential IDOR scanning attempts, providing a layer of defense.\n4.  **Penetration Testing:** Regularly conduct external penetration tests on web applications to identify and remediate vulnerabilities like IDOR before they can be exploited by attackers.","RCI Hospitality Holdings discloses a data breach exposing contractor PII, including SSNs. ‼️ The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability on a web server. #DataBreach #IDOR #Vulnerability","RCI Hospitality Holdings has reported a data breach exposing the personal information of contractors, including SSNs, due to an IDOR vulnerability on a web server.",[13,14],"Data Breach","Vulnerability","medium",[17,20,22,25],{"name":18,"type":19},"RCI Hospitality Holdings, Inc.","company",{"name":21,"type":19},"RCI Internet Services, Inc.",{"name":23,"type":24},"Microsoft Internet Information Services (IIS)","product",{"name":26,"type":27},"U.S. Securities and Exchange Commission (SEC)","government_agency",[],[30,36,42,48,52],{"url":31,"title":32,"date":33,"friendly_name":34,"website":35},"https://www.securityweek.com/nightclub-giant-rci-hospitality-reports-data-breach/","Nightclub Giant RCI Hospitality Reports Data Breach","2026-04-14","SecurityWeek","securityweek.com",{"url":37,"title":38,"date":39,"friendly_name":40,"website":41},"https://www.scmagazine.com/brief/vulnerability-related-breach-exposes-rci-hospitality-holdings-contractor-data","Vulnerability-related breach exposes RCI Hospitality Holdings' contractor data","2026-04-15","SC Magazine","scmagazine.com",{"url":43,"title":44,"date":45,"friendly_name":46,"website":47},"https://www.investing.com/news/stock-market-news/rci-hospitality-says-cyber-incident-exposes-independent-contractor-personal-data-3375591","RCI Hospitality says cyber incident exposes independent contractor personal data","2026-04-13","Investing.com","investing.com",{"url":49,"title":50,"date":45,"website":51},"https://claimdepot.org/data-breach/rci-hospitality-holdings-data-breach-exposes-sensitive-info-including-ssns/","RCI Hospitality Holdings Data Breach Exposes Sensitive Info Including SSNs","claimdepot.org",{"url":53,"title":44,"date":33,"website":54},"https://www.sahmcapital.com/news/661b179339599e0001a1c6a2","sahmcapital.com",[56,59,62],{"datetime":57,"summary":58},"2026-03-19T00:00:00Z","The unauthorized actor first gains access to the server.",{"datetime":60,"summary":61},"2026-03-23T00:00:00Z","RCI Hospitality discovers the breach.",{"datetime":63,"summary":64},"2026-04-07T00:00:00Z","The company's internal investigation into the incident concludes.",[66,70],{"id":67,"name":68,"tactic":69},"T1190","Exploit Public-Facing Application","Initial Access",{"id":71,"name":72,"tactic":73},"T1119","Automated Collection","Collection",[75,85],{"id":76,"name":77,"d3fend_techniques":78,"description":83,"domain":84},"M1054","Software Configuration",[79],{"id":80,"name":81,"url":82},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Implementing proper access control checks within the application logic is the primary defense against IDOR vulnerabilities.","enterprise",{"id":86,"name":87,"d3fend_techniques":88,"description":93,"domain":84},"M1047","Audit",[89],{"id":90,"name":91,"url":92},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis","Auditing web server logs for anomalous, sequential access patterns can help detect attempts to exploit IDOR flaws.",[],[],[97,103],{"type":98,"value":99,"description":100,"context":101,"confidence":102},"url_pattern","viewProfile.jsp?id=123","A typical URL pattern vulnerable to IDOR. Attackers would manipulate the 'id' parameter to access other profiles (e.g., id=124, id=125).","Web server logs, WAF logs.","high",{"type":104,"value":105,"description":106,"context":107,"confidence":102},"network_traffic_pattern","Rapid, sequential requests from a single IP to the same endpoint with incrementing IDs.","This behavior is a strong indicator of an attacker attempting to enumerate and exfiltrate data via an IDOR vulnerability.","SIEM correlation rules, WAF anomaly detection.",[13,109,14,110,111,112],"IDOR","PII","SSN","RCI Hospitality","2026-04-16T15:00:00.000Z","NewsArticle",{"geographic_scope":116,"countries_affected":117,"industries_affected":119,"other_affected":121},"national",[118],"United States",[120],"Hospitality",[122],"Independent contractors","2026-04-16",3,1776358280425]