RCI Hospitality Holdings Data Breach Exposes Sensitive Info Including SSNs

RCI Hospitality Holdings Inc., a Houston-based hospitality company founded in 1983, disclosed a cybersecurity incident that compromised the personal information of numerous independent contractors.

The company disclosed the incident in a Form 8-K filing with the U.S. Securities and Exchange Commission. The breach was discovered on March 23, 2026.

A specific total number of affected individuals has not been disclosed.

What happened in the RCI Hospitality Holdings data breach

The cybersecurity incident began on March 19, 2026. An unauthorized actor gained access to the company's systems by exploiting what the company described as a potential insecure direct object reference vulnerability on its internet information services (IIS) web server.

The company detected the unauthorized access four days after the incident began. Upon detecting the breach, the company took steps to investigate and respond to the situation.

It engaged third-party cybersecurity firms to assist with a forensic investigation into what had happened and what data may have been affected. The investigation concluded on April 7, 2026.

Through the investigation, the company determined that certain personal information had been accessed without authorization. The types of information exposed included names and contact information, dates of birth, Social Security numbers and driver's license numbers.

The company stated that no customer information or financial systems were accessed during the incident.

RCI Hospitality Holdings' response to the breach

RCI Hospitality Holdings stated it is continuing to review the impacted data to identify all affected individuals and, once complete, the company plans to provide the required notifications to those individuals and to applicable regulatory entities. Specific details about the timeline for these consumer notifications have not been announced.

The company believes the incident did not impact its business operations and will not have a material adverse effect on the company overall.

The company cautioned that its assessment of the breach's impact could change as new information becomes available, noting potential risks including the discovery of additional compromised data, impacts on relationships with independent contractors and government regulators, and legal and reputational concerns.

Steps to take if your information was exposed

• Place a credit freeze on your credit files with Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (1-800-680-7289) to help prevent new accounts from being opened using your information.
• Set up a fraud alert with one of the three major credit bureaus, which will automatically notify the other two bureaus on your behalf.
• Review your credit reports at AnnualCreditReport.com for any unfamiliar accounts or suspicious activity, and continue checking them regularly over the coming months.
• Monitor your financial accounts closely and report any unauthorized transactions to your bank or credit card company right away.
• Be cautious of phishing attempts that reference RCI Hospitality Holdings or this data breach by name, as scammers sometimes use breach notifications to trick people into sharing additional personal information through fake emails, texts or phone calls.
• File an identity theft report with the Federal Trade Commission at IdentityTheft.gov if you notice any signs that your personal information has been misused.