What happened
RCI Hospitality disclosed a data breach after its RCI Internet Services subsidiary discovered on March 23 that an insecure direct object reference flaw in an IIS web server exposed personal information. The company said its investigation concluded earlier this month and found that the incident began on March 19. According to the company’s SEC filing, the unauthorized access involved data belonging to “numerous” independent contractors, including names, dates of birth, contact information, Social Security numbers, and driver’s license numbers. RCI also said the unauthorized actor has not publicly disseminated the data to its knowledge. The company said no customer information or financial systems were accessed and that business operations were not affected.
Who is affected
The direct exposure affects independent contractors whose personal information was accessible through the vulnerable RCI Internet Services web server. The company has not disclosed how many individuals were impacted, but it said the exposed data included identity-related information such as Social Security numbers and driver’s license numbers.
Why CISOs should care
This incident matters because it involves an insecure direct object reference flaw that exposed sensitive contractor data without affecting customer information or core financial systems. It also shows how a web application authorization weakness can still create a serious identity-data exposure event even when broader business operations remain intact.
3 practical actions
Review authorization logic on web apps: Check whether identifiers in URLs, requests, or file references can be modified to access records without proper permission checks.
Scope contractor data exposure separately: Make sure incident reviews distinguish contractor and workforce information from customer or financial-system exposure when multiple data environments exist.
Treat identity documents as high-impact data: Prioritize response and protection measures when exposed records include Social Security numbers and driver’s license numbers.
For more news about incidents involving exposure of personal information, click Data Breach to read more.