Cybersecurity incident at RCI Hospitality (NASDAQ: RICK) hits contractor data

Rhea-AI Filing Summary

RCI Hospitality Holdings reports that subsidiary RCI Internet Services discovered a cybersecurity incident on March 23, 2026, which began on March 19, 2026. An insecure direct object reference vulnerability on its IIS web server allowed unauthorized access to personal data for numerous independent contractors.

Exposed information includes names, contact details, dates of birth, Social Security numbers, and driver’s license numbers, while customer information and financial systems were not accessed. The company has strengthened security by expanding multifactor authentication and disabling external IIS access, and believes the event will not have a material adverse effect on its business, supported in part by cybersecurity insurance coverage.

8-K Event Classification

2 items: 8.01, 9.01

2 items

Item 8.01 Other Events Other

Voluntary disclosure of events the company deems important to shareholders but not covered by other items.

Item 9.01 Financial Statements and Exhibits Exhibits

Financial statements, pro forma financial information, and exhibit attachments filed with this report.

Key Figures

Incident start date: March 19, 2026 Incident discovery date: March 23, 2026 Investigation conclusion date: April 7, 2026 +1 more

4 metrics

Incident start date March 19, 2026 Cybersecurity incident commencement at RCI Internet Services

Incident discovery date March 23, 2026 Date the company discovered the cybersecurity incident

Investigation conclusion date April 7, 2026 Date the company’s investigation into the incident concluded

Par value per share $0.01 par value Common stock par value listed for Nasdaq Global Market

Key Terms

cybersecurity incident, insecure direct object reference, internet information services (IIS) web server, multifactor authentication, +1 more

5 terms

cybersecurity incident technical

"RCI Internet Services, Inc., a subsidiary ... discovered on March 23, 2026 that it sustained a cybersecurity incident"

A cybersecurity incident is an event where someone's computer systems or data are attacked or broken into without permission. It matters because it can lead to stolen information, financial loss, or disruptions in services, similar to a break-in at a store that damages property or steals valuable items.

insecure direct object reference technical

"the Company learned that a potential insecure direct object reference vulnerability was present"

internet information services (IIS) web server technical

"vulnerability was present on its internet information services (“IIS”) web server"

multifactor authentication technical

"the Company promptly enhanced its technical security posture, including expanding the use of multifactor authentication"

Multifactor authentication is a security method that requires users to prove their identity with two or more different checks—something they know (like a password), something they have (like a phone or code generator), or something they are (like a fingerprint). For investors, it matters because it greatly lowers the risk of unauthorized access to trading accounts, corporate systems, or sensitive financial records; that protection helps prevent theft, operational disruptions, regulatory fines and damage to shareholder value.

cybersecurity insurance policy financial

"The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response"

A cybersecurity insurance policy is a type of protection that helps organizations cover the costs associated with digital security breaches, such as hacking or data theft. It acts like an insurance plan for a company's online safety, providing financial support to recover from cyberattacks. For investors, it signals that a company is managing digital risks, which can be important for its stability and reputation.

Understanding 8-K Material Events →

FALSE000093541900009354192026-04-072026-04-07

United States

Securities and Exchange Commission

Washington, D.C. 20549

FORM 8-K

Current Report

Pursuant to Section 13 or 15(d) of

The Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): April 7, 2026

RCI HOSPITALITY HOLDINGS, INC.

(Exact Name of Registrant as Specified in Its Charter)

Texas			001-13992			76-0458229
(State or Other Jurisdiction of Incorporation)			(Commission File Number)			(IRS Employer Identification No.)

10737 Cutten Road

Houston, Texas 77066

(Address of Principal Executive Offices, Including Zip Code)

(281) 397-6730

(Issuer’s Telephone Number, Including Area Code)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

o			Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
o			Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a -12)
o			Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d -2(b))
o			Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e -4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

Trading Symbol(s)

Name of each exchange on which registered

Common stock, $0.01 par value

RICK

The Nasdaq Global Market

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company o

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o

ITEM 8.01 OTHER EVENTS

RCI Internet Services, Inc., a subsidiary of RCI Hospitality Holdings, Inc., (the “Company”), recently discovered on March 23, 2026 that it sustained a cybersecurity incident starting March 19, 2026. The incident did not impact the business operations of the Company.

Upon detecting the incident, the Company promptly took steps to investigate and respond with the assistance of third-party cybersecurity firms. As the investigation concluded on April 7, 2026, the Company learned that a potential insecure direct object reference vulnerability was present on its internet information services (“IIS”) web server. To remediate, the Company promptly enhanced its technical security posture, including expanding the use of multifactor authentication and disabling external access to the IIS. As a result of this incident, the Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and driver’s license numbers, with respect to numerous independent contractors was accessed without authorization. To the Company’s knowledge, the unauthorized actor has not publicly disseminated the data. None of our customer information or financial systems were accessed. The Company is continuing to review the impacted data and will provide the required notifications to affected parties and applicable regulatory entities.

As of the date of this filing, the Company believes that the incident will not have a material adverse effect on its business operations. The Company continues to investigate the incident and will incur expenses in the fiscal year directly and indirectly related to the event. The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits.

Forward-Looking Statements.

The information included in this Item 8.01 contains forward-looking statements within the meaning of U.S. Private Securities Litigation Reform Act of 1995, including, without limitation, statements regarding the extent and potential impact of the cybersecurity incident, the means by which the unauthorized third-party accessed the internal IT system, the nature of data that may have been copied, the notification of affected parties and applicable regulatory agencies, the potential effect on our financial condition and results of operations, and the expected cybersecurity insurance policy coverage. The forward-looking statements in this Form 8-K are subject to risks and uncertainties that could cause actual results and events to differ materially from those anticipated in these forward-looking statements.

Factors that might cause actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to, our ongoing assessment of the impacts of the cybersecurity incident, including the potential discovery of additional information related to the incident in connection with our ongoing investigation or otherwise; our ability to remediate the cybersecurity incident; the impact of the cybersecurity incident on our relationships with employers, employees, independent contractors and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from any potential regulatory inquiries and/or litigation to which we may become subject in connection with the incident; remediation and other additional costs that we may incur in connection with the investigation and remediation of the incident; and the risks and uncertainties discussed in our other periodic filings with the Securities and Exchange Commission (“SEC”), including our Annual Report on Form 10-K for the fiscal year ended September 30, 2025 and other Quarterly Reports on Form 10-Q and Current Reports on Form 8-K filed with the SEC, available at www.sec.gov, under the caption “Risk Factors” and elsewhere. The Company does not undertake any obligation to update any forward-looking statements to reflect new information or events or circumstances occurring after the date of this Form 8-K, except as may be required by applicable law.

ITEM 9.01 FINANCIAL STATEMENTS AND EXHIBITS

(d) Exhibits

Exhibit Number						Description
104						Cover Page Interactive Data File (embedded within the Inline XBRL document)

2

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

			RCI HOSPITALITY HOLDINGS, INC.
Date: April 10, 2026			By:			/s/ Travis Reese
						Travis Reese
						Interim President and Chief Executive Officer

3

FAQ

What happened in RCI Hospitality (RICK)'s reported cybersecurity incident?

RCI Hospitality reported a cybersecurity incident at subsidiary RCI Internet Services starting March 19, 2026. An IIS web server vulnerability allowed unauthorized access to certain independent contractors’ personal data, though business operations continued and customer information and financial systems were not accessed, according to the company.

What type of data was accessed in RCI Hospitality (RICK)'s cyber event?

The company believes unauthorized parties accessed personal information for numerous independent contractors, including names, contact information, dates of birth, Social Security numbers, and driver’s license numbers. It states that no customer information or internal financial systems were accessed during the cybersecurity incident.

How did RCI Hospitality (RICK) respond technically to the cybersecurity incident?

After detecting the incident on March 23, 2026, the company engaged third-party cybersecurity firms, identified an insecure direct object reference vulnerability on its IIS web server, expanded use of multifactor authentication, and disabled external access to the IIS environment as part of its remediation steps.

Will RCI Hospitality (RICK)'s cybersecurity incident affect its operations?

RCI Hospitality states the cybersecurity incident did not impact its business operations and, as of the filing date, it believes the event will not have a material adverse effect on operations, although it expects to incur related expenses during the fiscal year.

Does RCI Hospitality (RICK) have insurance for the cybersecurity incident?

The company maintains a comprehensive cybersecurity insurance policy that covers incident response, investigation, remediation, potential regulatory actions, business interruption, and costs of investigating, defending, and resolving legal proceedings related to the event, subject to applicable deductibles, exclusions, and policy limits.

How is RCI Hospitality (RICK) handling notifications after the cyber incident?

RCI Hospitality is reviewing impacted data and plans to provide required notifications to affected independent contractors and applicable regulatory entities. The company also notes that, to its knowledge, the unauthorized actor has not publicly disseminated the accessed personal information.

Filing Exhibits & Attachments

3 documents

Other Documents

• EX-101 XBRL TAXONOMY EXTENSION SCHEMA DOCUMENT 1.7 KB
• EX-101 XBRL TAXONOMY EXTENSION LABEL LINKBASE DOCUMENT 21.1 KB
• EX-101 XBRL TAXONOMY EXTENSION PRESENTATION LINKBASE DOCUMENT 12.2 KB