← Back to incidents

Incident · Unknown

RCI Hospitality Holdings, Inc. · RICK

Consumer DiscretionaryUSAIncident March 19, 2026Filed April 13, 2026
Impact score
Business continuity
Insurance involved
Yes
Filing
8-K · 8.01

Breach taxonomy

UnknownData ExfilApp ExploitPersonal DataInfo Privacy Loss

Summary

RCI Internet Services, a subsidiary of RCI Hospitality Holdings, discovered on March 23, 2026 a cybersecurity incident that began on March 19, 2026. Investigation (concluded April 7, 2026) determined a potential insecure direct object reference (IDOR) vulnerability on its Microsoft IIS web server was exploited, leading to unauthorized access to personal information of numerous independent contractors including names, contact information, dates of birth, Social Security numbers, and driver's license numbers. No customer information or financial systems were accessed and business operations were not impacted. Company enhanced security posture (expanded MFA, disabled external IIS access) and maintains comprehensive cybersecurity insurance.

Tagging rationale

ThreatUnknown

Filing refers only to an unspecified "unauthorized actor" / "unauthorized third-party" with no actor category disclosed → UNKNOWN.

MethodsData ExfilApp Exploit

Filing states the cause was "a potential insecure direct object reference vulnerability...on its internet information services (IIS) web server" which was exploited to access data → APP-EXPLOIT (primary attack vector); personal data was accessed and the actor retained it ("has not publicly disseminated the data") → DATA-EXFIL.

AssetsPersonal Data

Filing discloses that "certain personal information, including names and contact information, dates of birth, social security numbers, and driver's license numbers, with respect to numerous independent contractors was accessed without authorization" → PERSONAL-DATA.

EffectsInfo Privacy Loss

Filing discloses unauthorized access to personal data of numerous independent contractors and plans to provide notifications to affected parties and regulators; no operational or revenue disruption → INFO-PRIVACY-LOSS.

Business continuity

Filing explicitly states "The incident did not impact the business operations of the Company" — no operational continuity procedures needed.

Impact

SSNs and driver's license numbers exposed for "numerous" independent contractors; no customer data or financial systems affected; no operational impact; insurance coverage in place; notifications pending → score 2.

InsuranceYes

Filing states "The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident" → true.

Read the original SEC filing excerpt
ITEM 8.01 OTHER EVENTS. RCI Internet Services, Inc., a subsidiary of RCI Hospitality Holdings, Inc., (the "Company"), recently discovered on March 23, 2026 that it sustained a cybersecurity incident starting March 19, 2026. The incident did not impact the business operations of the Company. Upon detecting the incident, the Company promptly took steps to investigate and respond with the assistance of third-party cybersecurity firms. As the investigation concluded on April 7, 2026, the Company learned that a potential insecure direct object reference vulnerability was present on its internet information services ("IIS") web server. To remediate, the Company promptly enhanced its technical security posture, including expanding the use of multifactor authentication and disabling external access to the IIS. As a result of this incident, the Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and driver's license numbers, with respect to numerous independent contractors was accessed without authorization. To the Company's knowledge, the unauthorized actor has not publicly disseminated the data. None of our customer information or financial systems were accessed. The Company is continuing to review the impacted data and will provide the required notifications to affected parties and applicable regulatory entities. As of the date of this filing, the Company believes that the incident will not have a material adverse effect on its business operations. The Company continues to investigate the incident and will incur expenses in the fiscal year directly and indirectly related to the event. The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits. Filed under Item 8.01; company has not formally determined materiality under Item 1.05 as of the filing date.
View SEC filingBack to database

More in Consumer Discretionary

Unknown · March 28, 2026

Hasbro, Inc.

On March 28, 2026, Hasbro identified unauthorized access to its corporate network. The company activated its security incident response prot

Priv Insider · November 18, 2025

Coupang, Inc.

On November 18, 2025, Coupang Corp. (a Korean subsidiary of Coupang, Inc.) detected a cybersecurity incident in which a former employee may

Cyber Criminals · October 15, 2025

Jewett-Cameron Trading Co. Ltd.

On October 15, 2025, Jewett-Cameron Trading Co. Ltd. discovered a threat actor had gained unauthorized access to its IT environment, deployi

Unknown · October 1, 2025

DoorDash, Inc.

In October 2025, DoorDash identified a cybersecurity incident in which an employee was targeted by a social engineering scheme that enabled