Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12.
In a statement, the company explained that even though they managed to “block” the attack, employee information dating back to 1998 was compromised.
The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes).
Breach notification letters were sent to anyone who worked for the company between July 1, 2010 and December 12, 2021, while those employed from January 1, 1998 and June 30, 2010 were only provided with a notice on the company website about options for support.
The hackers gained access to business records, human resources data, and payroll data files, encrypting the data for employees at the company between 1998 and 2010. McMenamins released the public notice on its website because it has lost access to the contact information for those that worked for the company between those years. The company was able to recover the files from 2010 to 2021 and send breach notification letters to those victims.