
RCI Hospitality Holdings Inc., a Houston-based company that operates more than 55 upscale adult nightclubs and restaurants across the United States, disclosed a data breach that affected approximately 40,178 individuals nationwide, including 15,553 Texas residents, 257 Maine residents and 201 Massachusetts residents.
RCI Internet Services became aware of a network disruption on March 23, 2026. The company initiated an investigation, which determined that certain files were accessed and acquired without authorization on March 19, 2026.
The investigation concluded on April 7, 2026, and found that a potential insecure direct object reference vulnerability was present on the company's internet information services (IIS) web server.
The company's review of the affected files determined that the types of information exposed included first and last names, Social Security numbers, driver's license numbers, dates of birth, contact information and passport numbers.
The breach was reported to the California Attorney General and to the Vermont Attorney General. The company began notifying consumers on May 28, 2026. According to the SEC filing, the affected individuals were independent contractors, and no customer information or financial systems were accessed during the incident.
The company is offering complimentary identity protection services through IDX. These services include credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy and fully managed identity theft recovery services.
Affected individuals can enroll by visiting the IDX enrollment page or by using the enrollment code included in their notification letter. The deadline to enroll is Aug. 28, 2026.
For questions or assistance, affected individuals can call 1-855-326-3023, Monday through Friday from 9 a.m. to 9 p.m. Eastern Time.








.webp)
.webp)
.webp)

.webp)
.webp)
.webp)
.webp)