Ransomware Attack on McMenamins Systems May Compromise Personal Information of Employees

“Just in case, if you try to ignore us, we’ve downloaded a pack of your internal data.”

Hillsdale Brewery and Public House. (Julian Alexander)

Portland dining and hotel chain McMenamins suffered a ransomware attack on Sunday, and the company warned its employees that much of their personal information—including Social Security numbers, addresses, and bank account numbers stored in its systems—may be compromised.

The ransomware group that attacked McMenamins is called Conti, which only emerged in 2020.

A message from the owners of McMenamins to employees Dec. 15 conceded much was still unknown about the severity of the attack.

“We are acting cautiously and operating under the assumption that the attackers could have accessed or copied electronic files containing the following categories of employee information: name, address, telephone number, email address, Social Security number, date of birth, bank account number for direct deposit, income/wages records, and benefits information, such as retirement plan contributions and health insurance plan election,” the company wrote.

A message from the ransomware company that popped up on McMenamins’ point of sales computers, according to employees, read in part: “All of your files are currently encrypted by CONTI strain. As you know...all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software—the files might be damaged, so if you are willing to try it—try it on the data of the lowest value.”

A screenshot of the message, in typewriter font, was shared with WW.

While Conti does not mention directly an exchange of money in its message, ransomware groups typically withhold stolen information until the owner pays a ransom.

The message continued: “Just in case, if you try to ignore us, we’ve downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.”

Conti Ransomware, according to the FBI, sends emails, often with an Excel sheet or other links or attachments, tempting users to click on the various attachments. Once clicked, Conti deploys malignant malware into the computer system.

McMenamins is offering all workers an identity and credit protection service.

“We have retained an experienced cybersecurity investigation firm to support these efforts and our efforts to enhance our security. We have reported the incident to the FBI and are cooperating with their investigation,” the company added.

McMenamins did not immediately respond to WW’s questions.

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.