RCI Nightclub Breach Exposes 40K Contractor Records: IDOR Flaw Fuels Identity Theft Surge in Adult Entertainment Sector

The RCI Hospitality Holdings breach, confirmed to Maine regulators this week, stems from a March 23 IDOR vulnerability in an IIS web server that exposed names, SSNs, driver's licenses, and DOBs for roughly 40,000 independent contractors—primarily adult nightclub performers. Beyond the SecurityWeek reporting, this incident highlights a pattern of lax third-party vendor security in the hospitality-entertainment nexus, where contractors often operate under fragmented data handling unlike full-time employees. Cross-referencing with the 2023 23andMe breach (impacting 6.9 million users via credential stuffing) and Charter Communications' exposure of nearly 5 million records, similar vectors like unpatched web apps recur across consumer-facing industries. RCI's delayed May 13 file review and FBI notification suggest underinvestment in real-time monitoring, amplifying risks for a workforce already vulnerable to stalking or doxxing due to their public-facing roles. This creates immediate personal risk of identity theft or fraud, as exposed SSNs enable instant account takeovers and synthetic identities. The original coverage underplays how such breaches in adult sectors evade ransomware attribution yet feed underground markets for PII, with no evident actor claiming responsibility unlike typical groups. Broader patterns from Verizon DBIR reports indicate entertainment firms suffer 2x higher breach rates from misconfigurations than finance, underscoring RCI's failure to implement basic access controls as a systemic governance lapse rather than isolated error.