Tuesday, November 17, 2015

Krebs on Security: Chipotle Serves Up Chips, Guac & HR Email

Chipotle Serves Up Chips, Guac & HR Email
Brian Krebs, November 15, 2015

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain "chipotlehr.com" — a Web site name that the company has never owned or controlled.

Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain "chipotlehr.com". Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

Wow. Read on to learn the extent of their incredible ineptitude. They apparently have no problem with:

  • Sending mail with a return address that nobody owns
  • Sending out official HR mail with a bogus return address
  • When informed that this is a security problem (and that some third party has registered the domain and is actively receiving mail intended for Chipotle HR) they still don't care because it's supposed to be a bogus return address.
  • When the person who registered the domain offered to give it to them for free, they declined

You would think that somebody somewhere in their IT problem would see this as a problem, but apparently not.

Krebs links to another article from 2008 about someone who registered donotreply.com in order to capture all the mail sent to what corporations assume to be a bogus domain. Some of the mail captured has been highly sensitive business and financial information. All because a company can't be bothered to use a real mailbox (or at least their own domain) as a return address in their outbound e-mail.

If it wasn't real, it would be really funny.

No comments: