McMenamins Data Breach Affects 12 Years of Employee Info

The Pacific Northwest hospitality stalwart is also still operationally crippled by a Dec. 12 ransomware attack.

A ransomware attack on the McMenamins dining and hospitality empire in the Pacific Northwest came along with a data breach covering 12 years of employee data, the organization has confirmed.

The Dec. 12 incident – which some have attributed to the Conti gang – forced McMenamins to shut down various operations, though locations can still receive customers. McMenamins is known for saving and restoring historic buildings throughout Oregon and Washington state and for giving them new lives as eclectic pubs, restaurants, breweries, hotels, movie theaters, concert venues, spas and more. In fact, 20 of its locations are on the National Register of Historic Places.

This week, McMenamins confirmed that the cyberattackers made off with internal employee data for those working for the company between the dates of Jan. 1, 1998 and June 30, 2010. The affected data is a bouillabaisse of classic HR fare: names, addresses, telephone numbers, email addresses, dates of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security numbers, health insurance plan elections, income amounts, and retirement contribution amounts.

Infosec Insiders Newsletter

The data could be sold and/or used for phishing attacks and other social-engineering efforts, identity theft and more.

“It’s possible that the thieves accessed files containing direct-deposit bank account information as well, but McMenamins does not have a clear indication they did so,” the company said in a Dec. 30 notice.

One ray of promise: No customer data was heisted, the company said.

“We’re devastated our people need to do so, but we’re urging them to vigilantly monitor their accounts and healthcare information for anything unusual,” said Brian McMenamin, one of the brothers who own the business, in a press statement. “They should immediately notify their financial institutions or health providers if they see anything out of sort. They should sign up immediately for free monitoring and identity-theft protection. All the information is on our website, and we encourage them to call with any questions.”

McMenamins said that it is offering past and current employees identity and credit-protection services, as well as a dedicated call center to answer questions about the attack. Letters have gone out to notify all affected individuals as well.

Still Not Recovered from December Ransomware Attack

In the wake of the attack, the company was forced to shut down its IT systems, credit-card point-of-sale systems and corporate email to prevent the further spread of the attack. Three weeks later, the company’s operations are still not remediated, it said, including its central phone system, email, credit-card processing, hotel-reservation system and gift-card processing – core functions for a hospitality group.

For now, the company is asking people to delay their hotel bookings or to call properties directly, and it’s using the third-party Dinerware point-of-sale for credit cards.

“It is unknown when the issue will be resolved and systems back up and running,” the organization said. “Given the impacts to the company’s email system, email responses are delayed.”

Brian McMenamin said the breach “is especially disheartening” given its timing after the “strain and hardship” McMenamins’ employees have gone through over the past two years during the pandemic.

McMenamins has reported the incident to the FBI and is also working with a cybersecurity firm to identify the source and full scope of the attack, the company said.

Some sources have attributed the attack to the Russian-speaking Conti gang – a group that Palo Alto Networks has called “one of the most ruthless” and sophisticated ransomware groups out there. Conti is known to ask for unreasonable ransom amounts,  such as the $40 million ransom demand it made of Broward County Public Schools in Fort Lauderdale, Fla., earlier this year. It also has a history of hitting organizations while they’re down, as seen in a May attack on the Irish health service.

It also recently tinkered with its code (and its personnel recruiting) to juice its ability to find and fully destroy backups that victims may otherwise use to restore operations in the wake of a ransomware hit. And, in late December, Conti became one of the first professional gangs to claim a full Log4Shell exploit chain.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.


Suggested articles