RCI Hospitality says a cyberattack exposed sensitive personal data belonging to roughly 40,000 people. The company previously disclosed that its RCI Internet Services subsidiary found an insecure direct object reference, or IDOR, flaw on an IIS web server on March 23 that allowed unauthorized access to personal information, and it later determined files were stolen. Exposed data included names, contact details, dates of birth, Social Security numbers, and driver’s license numbers.
Why it matters: People affected face a real risk of identity theft because the stolen files included high-value personal data. Organizations should review web applications for IDOR-style authorization flaws, and affected individuals should watch for fraud and consider credit monitoring or freezes.
Eduard Kovacs
2026.06.05
100% relevant
This article appears to be the first clear impact update establishing the RCI Hospitality breach as a trackable story, adding the concrete figure of roughly 40,000 affected individuals and confirming file theft.
← Back to all stories