Wow. Read on to learn the extent of their incredible ineptitude. They apparently have no problem with:
- Sending mail with a return address that nobody owns
- Sending out official HR mail with a bogus return address
- When informed that this is a security problem (and that some third party has registered the domain and is actively receiving mail intended for Chipotle HR) they still don't care because it's supposed to be a bogus return address.
- When the person who registered the domain offered to give it to them for free, they declined
You would think that somebody somewhere in their IT problem would see this as a problem, but apparently not.
Krebs links to another article from 2008 about someone who registered donotreply.com in order to capture all the mail sent to what corporations assume to be a bogus domain. Some of the mail captured has been highly sensitive business and financial information. All because a company can't be bothered to use a real mailbox (or at least their own domain) as a return address in their outbound e-mail.
If it wasn't real, it would be really funny.