Employees of McMenamins Dating Back to 1998 Had Personal Data Stolen During Ransomware Attack

Information stolen includes Social Security numbers, names, addresses, disability status and medical notes.

Employees who worked for McMenamins dating as far back as 1998 had their data stolen during a ransomware attack on the company that took place Dec. 12.

“McMenamins confirmed internal employee data dating back to January 1, 1998, was compromised in the malicious ransomware attack it blocked Dec. 12,” McMenamins said in a statement. “Stolen data potentially included: names, addresses, telephone numbers, email addresses, dates of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security numbers, health insurance plan elections, income amounts, and retirement contribution amounts.”

That means that people who worked for McMenamins more than two decades ago had their personal information stolen during a ransomware attack—and McMenamins no longer has contact information for employees before 2010.

“It is unknown when the issue will be resolved and systems back up and running,” the company said. “Past employees between January 1, 1998, and June 30, 2010, are urged to visit the company’s website for support and detailed instructions on how to protect their data.”

McMenamins is offering free identity theft protection services to employees dating back to 2010.

Conti, a ransomware developer, has taken credit for the attack on McMenamins—though the Conti ransomware can be deployed by third parties and not just the developer itself.

“The people who create the ransomware aren’t necessarily the people who use it to carry out attacks,” says cybersecurity specialist Brett Callow, who works for the security company Emsisoft. “These gangs operate like a multilevel marketing company in that they have affiliates. The affiliates carry out the attacks and work with developers of the ransomware.”

Callow says Conti, believed to be based in Russia, is one of the more active ransomware developers and that its attackers are particularly unscrupulous.

“They’ve been one of the more active ransomware groups for some time. Possibly the most active, in fact,” says Callow. “Their targeting is quite indiscriminate. They will go after public- and private-sector organizations, both big and small.”

Last week, WW reported that McMenamins hotel bookings had been obstructed by the ransomware attack, as had email and phone systems, and that employee information was confirmed to have been stolen. At the time, it was assumed that only the information of McMenamins’ 2,700 current employees had been stolen.

A McMenamins spokesperson tells WW that as of Jan. 3, no payment had been made to the attackers.

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.