McMenamins Tells Employees Personal Information Was Stolen in Ransomware Attack
McMenamins told its employees in a memo on Dec. 21 that much of their personal information was stolen during a ransomware attack the company suffered on Dec. 12.
The memo, which McMenamins shared with WW, reads in part: “We have determined that the hackers did steal certain business records containing the following categories of employee information: name, address, telephone number, email address, date of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security number, health insurance plan election, income amount, and retirement contribution amounts.”
The memo confirmed much of the 2,700 employees’ worst fears: loads of their personal information is now being held for ransom by a hacker.
“We are working closing with a team of cybersecurity experts, and we have notified the FBI and are cooperating with their investigation,” the company told employees in the memo. “We had security safeguards in place and a dedicated IT group that works to protect our systems and the information on them. Somehow hackers bypassed our security controls, and we are working to figure out how that happened.”
Employees tell WW they’ve received no update from the company since the Dec. 21 memo announcing much of their information had been stolen.
McMenamins told employees there’s no evidence yet that their information has been fraudulently used. The company is providing free identity and fraud protection to its employees for the time being.
Meanwhile, McMenamins historic hotels across Oregon are unable to take new reservations past January because of the attack, according to employees.
Only two of the nine hotels answered phone calls from WW, and none enabled a voicemail to be left. A receptionist at Hotel Oregon said that no reservations could be made past January 8. Edgefield said no reservations could be made at all, and the receptionist said they had no estimate when that might change. Employees, who asked to speak to WW anonymously, corroborated the shutdown of reservations.
A McMenamins operations employee responded to an online inquiry and wrote that “During this down system time, we are doing our best to accommodate reservations into all of January, just nothing beyond for now in hopes that in a week our systems will be back up.”
McMenamins did not immediately respond to WW’s follow-up questions.
Brett Callow, a cybersecurity expert and threat analyst who works with the security company Emsisoft that specializes in ransomware, says Conti, ransomware developer that’s claimed responsibility for the McMenamins attack, can be used by other parties other than the developer itself. (McMenamins has not yet named who’s responsible for the attack.)
This technique, he says, is not uncommon.
“The people who create the ransomware aren’t necessarily the people who use it to carry out attacks,” Callow says. “These gangs operate like multi-level marketing company in that they have affiliates. The affiliates carry out the attacks, and work with developers of the ransomware.”
Callow says Conti, believed to be based in Russia, is one of the more active ransomware developers, and that its attackers are particularly unscrupulous.
“They’ve been one of the more active ransomware groups for some time. Possibly the most active, in fact. They first emerged in December 2019, and they may be connected to a group known as Rayuk, which was responsible for attacks on big sector attacks like hospitals,” says Callow. “Their targeting is quite indiscriminate. They will go after public and private sector organizations, both big and small. Victims include the Scottish Environmental Protections Agency and the Fourth District Court of Louisiana.”
Callow calls response to cyber security attacks by both state and the federal government “wholly inadequate.”
“Disclosure laws absolutely need to be strengthened. Disclosure helps us understand what the landscape looks like. If you don’t know how many attacks there are or why they’re happening and succeeding, it’s much harder to work out how to stop them,” Callow says, adding that to quell increasing attacks will take aggressive action.
Federal lawmakers are trying to tighten up those disclosure laws. The Ransom Disclosure Act was introduced to the House of Representative this October by Sen. Elizabeth Warren that would require certain entities to report any ransom payments within 48 hours to the Department of Homeland Security.
Screenshots of Conti’s site show the hackers make claims about what information they stole from McMenamins. The site lists a short description of McMenamins and writes: “The company officially informed Mass Media about cooperation with FBI. Conclusion: In our opinion, company cares more about money and less about customer private information.”
Conti remained active through the holiday. Shutterfly, a California-based digital photography company, was hit by Conti software the day after Christmas.