McMenamins Faces Class Action Suit Over Data Breach

Jason Kaplan
Brian McMenamin (left) and brother Mike at their Edgefield brewpub

The hotel and brewpub chain is facing a legal complaint on behalf of employees, and a personal injury law firm says it’s investigating the effects of a December data breach on customers.

Share this article!

The Oregon-based hotel and brewpub chain McMenamins is facing a class action lawsuit over a 2021 data breach that may have compromised the personal information of more than 20,000 current and former employees. Separately, a personal injury law firm says it’s investigating the breach’s impact on customers.

The lawsuit was filed Jan. 28 in federal court in the U.S. District of Washington. Former McMenamins employee Andrew Leonard is named as the primary plaintiff, filing on behalf of individuals who worked for McMenamin’s between Jan. 1, 1998 and Dec. 12, 2021, according to a copy of the complaint at, a legal news website that reported on the case that day.

In December McMenamins announced it had become the victim of a ransomware attack, which exposed current and former employees’ personal information, including names, home addresses, phone and Social Security numbers, health information, email addresses and bank account information included on direct deposit forms. 

According to the legal complaint, Leonard worked for the hospitality chain between 2015 and 2019. The lawsuit seeks to represent anyone whose private information was stored in McMenamins’ compromised computer systems.

The suit alleges that McMenamins waited an unacceptable amount of time before contacting employees whose data were compromised — and says Leonard was not notified of the breach until January of this year. 

After the breach, McMenamins offered 12 months of Experian IdentityWorks credit for employees whose information was exposed. The lawsuit claims this was insufficient restitution for the damages and says McMenamins failed to take adequate security measures to protect employees’ financial data. 

The suit includes a list of “basic, practical email security measures that every business, not only those who handle sensitive financial information, should be doing,” including using and maintaining preventive software programs, including IT staff in security conversations and hardening the IT infrastracture. “McMenamins should be doing even more. But by adequately taking these common-sense solutions, McMenamins could have prevented this Data Breach from occurring.”

The suit says victims are entitled to compensatory damages but does not name a dollar amount.

McMenamins declined to comment for this story.

The complaint lists two law firms as counsel for the plaintiffs: Seattle-based Breskin Johnson & Townsend and Migliaccio & Rathod, based in Washington, D.C. OBM was not able to reach either firm. A press release issued by the latter in December and updated last week includes a questionnaire for employees who may have been affected by the breach.

Also in January, Console & Associates, a New Jersey-based personal injury firm, announced that it is investigating a potential class action lawsuit to determine the breach’s impact on consumers.

“It’s easy to place all the blame for a data breach on the person who hacks into an organization’s system; however, this ignores the legal and moral obligation that these companies owe to customers. When someone gives a company their business, they trust that the information in the organization’s possession will remain private—and out of the hands of criminals. While protecting consumer data requires a business to undergo some effort and expense, in our current environment of widespread hacking, this is a cost of doing business that all organizations must take seriously,” said attorney Richard Console in the firm’s press release.

To subscribe to Oregon Business, click here.