Over 20 years of employee data leaked during McMenamins ransomware attack

The company said compromised employee records had Social Security numbers, bank account information, and health insurance data.
Written by Jonathan Greig, Contributor

Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12. 

In a statement, the company explained that even though they managed to "block" the attack, employee information dating back to 1998 was compromised. 

The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes). 

Breach notification letters were sent to anyone who worked for the company between July 1, 2010 and December 12, 2021, while those employed from January 1, 1998 and June 30, 2010 were only provided with a notice on the company website about options for support. 

The hackers gained access to business records, human resources data, and payroll data files, encrypting the data for employees at the company between 1998 and 2010. McMenamins released the public notice on its website because it has lost access to the contact information for those that worked for the company between those years. The company was able to recover the files from 2010 to 2021 and send breach notification letters to those victims. 

The Oregonian reported that McMenamins told the Oregon Department of Justice that 14,861 people were sent breach notification letters, while up to 30,000 people may have had their information involved in the breach. 

"As soon as we realized what was happening, we blocked access to our systems to contain the attack that day. It appears that cybercriminals gained access to company systems beginning on December 7 and through the launch of the ransomware attack on December 12. During this time, they installed malicious software on the company's computer systems that prevented us from using or accessing the information they contain," the company said in a notice on their website. 

The company -- which runs dozens of hotels, bars, movie theaters, concert venues, restaurants, and more across the Pacific Northwest -- said it is offering victims one year of identity theft protection and credit monitoring services. 

McMenamins is still recovering from the attack and noted on their website that email systems are still down. They contacted the FBI, local law enforcement, and the Attorney Generals of Oregon and Washington to notify them of the attack. The company has already hired a cybersecurity firm to help with the recovery process. 

The company's properties are still open, but their credit card processing and hotel reservation system was affected. Guests at their hotels have been asked to call them to manage bookings. No customer or partner data was involved in the attack, according to the company. 

They said it is unclear when their systems will be fully back up and running. 

Bleeping Computer reported in December that the Conti ransomware group was behind the attack on McMenamins. Both CISA and the FBI said in September that they have seen more than 400 attacks involving Conti's ransomware targeting US organizations as well as international enterprises.

"We're devastated our people need to do so, but we're urging them to vigilantly monitor their accounts and healthcare information for anything unusual. They should immediately notify their financial institutions or health providers if they see anything out of sort," said company founder Brian McMenamin. 

Editorial standards