McMenamins Tells Employees Personal Information Was Stolen in Ransomware Attack

McMenamins’ historic hotels across Oregon cannot take new reservations online.

McMenamins told its employees in a memo Dec. 21 that much of their personal information was stolen during a ransomware attack the company suffered on Dec. 12.

The memo, which McMenamins shared with WW, reads in part: “We have determined that the hackers did steal certain business records containing the following categories of employee information: name, address, telephone number, email address, date of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security number, health insurance plan election, income amount, and retirement contribution amounts.”

The memo confirmed much of the 2,700 employees’ worst fears: Loads of their personal information is now being held for ransom by a hacker.

“We are working closing with a team of cybersecurity experts, and we have notified the FBI and are cooperating with their investigation,” the company told employees in the memo. “We had security safeguards in place and a dedicated IT group that works to protect our systems and the information on them. Somehow hackers bypassed our security controls, and we are working to figure out how that happened.”

Employees tell WW they’ve received no update from the company since the Dec. 21 memo announcing much of their information had been stolen.

McMenamins told employees there’s no evidence yet that their information has been fraudulently used. The company is providing free identity and fraud protection to its employees for the time being.

Meanwhile, McMenamins’ historic hotels across Oregon cannot take new reservations past January because of the attack, according to employees.

Only two of the nine hotels answered phone calls from WW, and none allowed a voicemail to be left. A receptionist at Hotel Oregon said no reservations could be made past Jan. 8. Edgefield said no reservations could be made at all, and the receptionist said they had no estimate when that might change. Employees, who asked to speak to WW anonymously, corroborated the shutdown of reservations.

A McMenamins operations employee responded to an online inquiry and wrote, “During this down system time, we are doing our best to accommodate reservations into all of January, just nothing beyond for now in hopes that in a week our systems will be back up.”

McMenamins’ offices told WW something slightly different: that they are taking reservations “manually and based on availability through the main telephone number for each hotel” for the next six weeks. Six of the eight historic hotels in Oregon did not answer phone calls from WW on Tuesday.

The company has not paid a ransom, McMenamins told WW, but declined to share any other information.

Brett Callow, a cybersecurity expert and threat analyst who works with the security company Emsisoft that specializes in ransomware, says Conti, the ransomware developer that’s claimed responsibility for the McMenamins attack, can be used by parties other than the developer itself. (McMenamins has not yet named who’s responsible for the attack.)

This technique, he says, is not uncommon.

“The people who create the ransomware aren’t necessarily the people who use it to carry out attacks,” Callow says. “These gangs operate like a multilevel marketing company in that they have affiliates. The affiliates carry out the attacks and work with developers of the ransomware.”

Callow says Conti, believed to be based in Russia, is one of the more active ransomware developers and that its attackers are particularly unscrupulous.

“They’ve been one of the more active ransomware groups for some time. Possibly the most active, in fact. They first emerged in December 2019, and they may be connected to a group known as Rayuk, which was responsible for attacks on big sector attacks like hospitals,” says Callow. “Their targeting is quite indiscriminate. They will go after public- and private-sector organizations, both big and small. Victims include the Scottish Environmental Protections Agency and the 4th District Court of Louisiana.”

Callow calls response to cybersecurity attacks by both state and the federal government “wholly inadequate.”

A 2007 Oregon law requires that public and private entities report any data breaches of personal information to those affected within 45 days of discovering the breach or attack, and must report it to the Oregon Attorney General’s Office if the company notified more than 250 residents of the breach. This includes ransomware attacks. It’s not clear whether McMenamins has yet done so.

In an October report by Oregon’s AG office, 131 data breaches so far occurred in 2021. In all of 2020, 110 data breaches were reported.

Oregon disclosure law has a fairly liberal definition of what falls under the umbrella of personal information, but has a somewhat narrow definition of what constitutes a breach. (Oregon’s law says the data must have been acquired, not merely accessed, as is the threshold in some other states.)

“Disclosure laws absolutely need to be strengthened. Disclosure helps us understand what the landscape looks like. If you don’t know how many attacks there are or why they’re happening and succeeding, it’s much harder to work out how to stop them,” Callow says, adding that to quell increasing attacks will take aggressive action.

Federal lawmakers are trying to tighten up those disclosure laws. The Ransom Disclosure Act was introduced in the House of Representative this October by Sen. Elizabeth Warren that would require certain entities to report any ransom payments within 48 hours to the Department of Homeland Security.

Screenshots of Conti’s site show the hackers make claims about what information they stole from McMenamins. The site lists a short description of McMenamins and writes: “The company officially informed Mass Media about cooperation with FBI. Conclusion: In our opinion, company cares more about money and less about customer private information.”

Conti remained active through the holiday. Shutterfly, a California-based digital photography company, was hit by Conti software the day after Christmas.