Dive Brief:
- When searching for talent online, it's a good idea for employers and HR to give job seekers a valid response email address should they decide to apply for work.
- That is the lesson learned by Chipotle recently when the major food chain was sending emails to new job applicants using an email address from a domain – chipotlehr.com – it didn’t own.
- As reported by NakedSecurity and other media outlets, Chipotle's mistake led to job applicants sending their personal data and exposing those folks the to the risk of identity theft and phishing attacks.
Dive Insight:
Here's how it happened. Someone within Chipotle's HR or recruiting department attached "[email protected]" to an email (it did say not to respond to that email, but people did) and the responding emails just went into the online equivalent of the black hole (the chipotlehr.com domain was not owned by anyone, but it was available for sale).
NakedSecurity reports that an unemployed IT worker, Michael Kohlman, applied for a job at Chipotle and when he found out the chipotlehr.com domain wasn’t registered, he bought it for $30. He then passed along that information to security blogger Brian Krebs. Kohlman soon began receiving emails people sent to [email protected], which could have been disastrous if the data had gotten into the wrong hands.
The strangest part of the tale is that Chipotle never owned up to the mistake. In an emailed statement, Chipotle told security expert Krebs that the chipotlehr.com domain was “never functional,” and therefore there has “never been a security risk of any kind associated with this,” and it is “really a non-issue.”
It would have been quite an issue, pointed out NakedSecurity and Krebs, if someone had bought the domain and start collecting personal data, or worse asking for social security numbers, aka phishing, from job seekers.
