Almeida Law Group is investigating a data breach at RCI Internet Services, Inc. The breach occurred on 3/19/2026 and was discovered on 05-13-2026. If you were affected, contact Almeida Law Group.
About RCI Internet Services, Inc.
RCI Internet Services, Inc. is a subsidiary of RCI Hospitality Holdings, Inc. (NASDAQ: RICK), a publicly traded company headquartered in Houston, Texas. RCI Internet Services handles internet and web operations for the parent company, which operates adult nightclubs and Bombshells Restaurant & Bar locations across the United States. The breach exposed highly sensitive personal identifiers—including Social Security numbers, driver’s license numbers, and passport numbers—making affected individuals at heightened risk for identity theft and fraud.
What Happened?
RCI Internet Services, Inc. was listed in a Maine Attorney General filing reporting an external hacking incident. According to the Maine filing and supplemental reporting, an unauthorized actor exploited an insecure direct object reference (IDOR) vulnerability on an IIS web server on March 19, 2026. RCI became aware of the disruption on March 23, 2026, engaged independent cybersecurity experts, and completed its review of the affected files on May 13, 2026. A total of 40,178 individuals were affected. Consumer notification letters were sent on May 28, 2026. The compromised data may have included names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, and contact information. The breach primarily affected independent contractors. RCI notified the FBI and has stated it has no evidence of misuse of the exposed data. RCI remediated the vulnerability by expanding multifactor authentication and disabling external IIS access.
As of mid-April 2026, no cybercrime group had claimed the incident, and SecurityWeek noted the possibility that the access may have been by a security researcher rather than a malicious actor, though that remains unconfirmed. The parent company, RCI Hospitality Holdings, filed an SEC 8-K disclosing the incident on April 10, 2026. Separately, RCI Hospitality Holdings and several of its executives face unrelated legal proceedings, including a 79-count criminal indictment in New York for bribery and tax fraud and securities fraud class action lawsuits filed by Rosen Law Firm and Kessler Topaz—both of which predate this breach and are unconnected to it.
Key Facts at a Glance
- Company or Organization: RCI Internet Services, Inc.
- Industry: Hospitality / Adult entertainment nightclubs and sports bar-restaurants
- Location: Houston, Texas
- Incident type: External system breach (hacking) via IDOR vulnerability
- Date of breach: March 19, 2026
- Date breach discovered: March 23, 2026 (network disruption noticed); May 13, 2026 (affected individuals confirmed)
- Date of consumer notification: May 28, 2026
- Total persons affected: 40,178
- Identity theft protection offered: Yes — 12 months of credit monitoring, dark web monitoring, $1 million identity fraud loss reimbursement, and fully managed identity theft recovery services through IDX
- Enrollment deadline: August 28, 2026
- Litigation status: No class action specifically connected to this breach found as of early June 2026; unrelated securities fraud class actions against parent company RCI Hospitality Holdings predate this incident
- Source: Maine AG Filing; SecurityWeek; SC Media; Stock Titan / SEC 8-K
What Should You Do?
If you received a notice from RCI Internet Services, enroll in the complimentary IDX identity protection services before the August 28, 2026 deadline using the enrollment code provided in your letter—visit https://app.idx.us/account-creation/protect or call 1-855-326-3023. Because Social Security numbers, driver’s license numbers, and passport numbers were potentially exposed, consider placing a fraud alert or credit freeze with Equifax, Experian, and TransUnion to help prevent new accounts from being opened in your name. Review your credit reports for any unfamiliar activity at AnnualCreditReport.com, where you can access a free report from each bureau. Monitor your financial and government accounts closely and report any suspected identity theft or fraud to the FTC at IdentityTheft.gov or to your state attorney general.
Your Legal Rights
If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
