Vulnerability-related breach exposes RCI Hospitality Holdings’ contractor data

Major U.S. adult nightclub and sports bar operator RCI Hospitality Holdings had the personal information of "numerous" independent contractors exposed following the exploitation of an insecure direct object reference flaw impacting one of its IIS servers, according to SecurityWeek.

Infiltration of the IIS server on Mar. 19 enabled the threat actor to access contractors' names, birthdates, Social Security numbers, driver's license numbers, and contact details, noted RCI in a filing with the U.S. Securities and Exchange Commission. Neither business operations nor financial and customer information systems were affected by the incident, which has not yet been claimed by any cybercrime operation.

An attacker can steal data by exploiting IDOR flaws, altering a value in a request or web link. The incident happens when a website retrieves a record using an identifier, such as a file name or account number, but does not confirm that the user has the required permissions.