When it comes to cybersecurity, when are companies going to learn?
Now comes word that Chipotle’s human resources domain name was a big zero in the security game. As first reported on the KrebsonSecurity blog, Chipotle was using the domain name chipotlehr.com in its bounce-back messages to candidates. Problem is, the company never owned the domain, so anyone could have bought it. And, guess what, someone did.
His name is Michael Kohlman, and he’s an out-of-work IT expert.
But don’t get the wrong idea; Kohlman isn’t the bad guy here. He applied for a job at Chipotle, he told KrebsonSecurity, to meet his unemployment requirements, and got an automated response from the company.
He replied to the email, email@example.com, as many people would, and got an “undeliverable” bounce-back message. After some investigating, he realized the domain was available for purchase, so he bought it for a reported $30 and started receiving emails meant for Chipotle’s HR staff. He offered to give the domain to Chipotle for free, but the company declined, according to Brian Krebs, the author of the blog. Now if you go to chipotlehr.com, it says: “This is NOT the Chipotle Human Resources Page.”
Compounding the problem is that Chipotle apparently doesn’t think this is a problem.
Krebs reports that a Chipotle spokesman responded in a written statement: Chipotlehr.com “never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a nonissue.”
Um, big risks.
As you know, not all applicants follow directions. In Chipotle’s bounce-back email, it says to “Click here” for application status rather than responding to the email, but I've got news for you: There are lots of people who reply no matter what.
It’s convenient to do so, and the worst that can happen is the email doesn’t get read. Wait, that’s not the worst. The worst is that the email could go to someone who wants to steal information.
What the Chipotle spokesman and, evidently, Chipotle fails to realize is that anyone who owns the domain name could have pretended to be a Chipotle HR representative. It’s called phishing.
Just imagine an email from a “Chipotle HR representative”: “Thank you for your email, John. We are very interested in you as a candidate, but before we can move forward, we need just a little more information. You can go to our secure website by clicking here.” Even if only 1 percent of people fall for it, that could cause major problems for applicants and, of course, the company’s reputation. That’s a PR nightmare nobody wants on their hands.
The lesson here for HR is clear: If you’re using a domain name in your automatic responses to applicants, make sure you own it. If not, get your IT person on the phone ASAP. Don’t let the chips fall where they may.