McMenamins, Inc. faces a proposed class action over a December 2021 data breach that may have compromised the sensitive personal information of thousands of current and former employees.
The 50-page lawsuit claims inadequate data security is to blame for the ransomware attack that crippled the brewery, music venue and hotel operator’s system around December 12 last year. Per the suit, the information exposed in the breach included current and former employees’ names, physical and email addresses, telephone numbers, dates of birth, disability status, Social Security numbers, health insurance information, medical notes and bank account details.
The complaint contends that McMenamins’ failure to protect consumers’ information from unauthorized exposure will cause them to suffer “a slew of harms,” including fraudulent charges, identity theft and targeted advertising, in the coming months and years.
The plaintiff, who worked for the defendant between 2015 and 2019, says he would have never provided his personally identifiable information to the company had he known it would be inadequately protected.
McMenamins operates a chain of brewpubs, breweries, music venues, historic hotels and theater pubs throughout Oregon and Washington, according to the suit. Per the case, McMenamins employs thousands of people and is obligated to protect their personal information from unauthorized access.
The lawsuit alleges, however, that McMenamins learned in December 2021 that it had been the victim of a ransomware attack during which unauthorized parties gained access to files containing the private information of employees who worked for the company as far back as January 1, 1998. The case claims the breach was the result of McMenamins’ failure to implement basic data security measures recommended by the U.S. government and Microsoft Threat Protection Intelligence Team.
“These are basic, practical email security measures that every business, not only those who handle sensitive financial information, should be doing. McMenamins should be doing even more. But by adequately taking these common-sense solutions, McMenamins could have prevented this Data Breach from occurring.”
Per the complaint, McMenamins has yet to disclose an estimate of how many people were affected by the breach or explain its delay in notifying victims. The plaintiff says he didn’t receive the “woefully deficient” notice of the breach until the first week of January 2022.
“Defendant offered no explanation for the delay between the initial discovery of the Breach and the belated notification to affected employees, which resulted in Plaintiff and class members suffering harm they otherwise could have avoided had a timely disclosure been made,” the suit charges.
Moreover, the lawsuit claims the defendant’s offer of 12 months of Experian IdentityWorks credit monitoring does not guarantee the safety of proposed class members’ data and requires the disclosure of additional information that McMenamins “had just demonstrated it could not be trusted with.”
Consumers whose information was exposed in the breach are now more likely to become victims of identity theft and may face damages for years, the suit alleges.
The lawsuit looks to represent anyone whose private information was inputted into McMenamins’ system and compromised as a result of the data breach discovered in December 2021 and who was sent notice of the breach, which includes those who worked for the defendant between July 30, 2010 and December 12, 2021. The suit also proposes to cover individuals whose data was compromised in the breach but did not receive a notice letter, which includes those who worked for McMenamins between January 1, 1998 and June 30, 2010.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune residents now have the opportunity to claim compensation for harm suffered from contaminated water.