Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem

from the utterly-oblivious dept

Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC’s ongoing investigation of that outbreak is grabbing most of the public’s attention, the company’s quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.

Apparently, Chipotle?s human resources department has been replying to new job applicants using the “” domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:

Noticing this potentially major problem, a security researcher named Michael Kohlman (applying to apparently maintain unemployment benefits while between gigs) grabbed the domain for $30. He then reached out to Chipotle to explain the potential liability of the company’s sloppy security and offer the company the domain, for free. Chipotle’s response? Utter and total denial that there was any problem whatsoever:

“Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle?s spokesman Chris Arnold says the company doesn?t see this as a big deal at all.

“The domain is not a functional address and never has been,? Arnold wrote in an emailed statement. ?It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to (a domain that we do own), but this has never been functional and is really a non-issue.?

That’s a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked “operational significance” is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.

Filed Under: , ,
Companies: chipotle

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem”

Subscribe: RSS Leave a comment
Mason Wheeler (profile) says:

When I lived in Washington, I went to a Chipotle once. I found it to be very, very similar to the less-famous Qdoba, but with one significant difference: Chipotle is a victim of “Mexican restaurant disease.” If you haven’t heard of it, this is a mental condition known to frequently affect people who run Mexican restaurants, which causes them to think everything should be extremely hot (as in spicy, not temperature) and to treat picante as an acceptable substitute for flavor. Qdoba did not have that problem.

I didn’t go back. With this E. Coli outbreak, I’m glad I didn’t.

Dan (profile) says:

Misleading headline

Your headline says “Chipotle exposes private data”–how, precisely, does Chipotle do this? You’ve described a hypothetical scenario, which so far as you know (or at least, so far as you’ve said) hasn’t actually happened, in which a job applicant might inadvertently expose their private data to a malicious third party. But so far as you’ve described, Chipotle hasn’t exposed anything to anybody. Could you clarify, or fix your headline?

This isn’t to defend them–this is a completely boneheaded mistake. But what it is, is bad enough that you don’t need to invent other things that it isn’t.

Dan (profile) says:

Re: Re: Misleading headline

The analogy presented by AC#1, and the hypothetical presented by AC#2, are both completely off-base.

To AC#1: Your analogy would work if Chipotle were leaving their systems unsecured. As far as this article portrays, though, there’s no lack of security on their systems.

To AC#2: The email that was sent did not request any information, and it specifically directed that recipients not reply to it. How exactly do you think your hypothetical relates to this story?

Again, there’s just no excuse for their setting up their autoresponder to reply from an address they don’t own, on a domain they don’t own, or have any control over. That’s bad enough, and it makes them look like complete n00bz. Reveal their incompetence for what it is, but don’t invent harms that haven’t happened.

Dan (profile) says:

Re: Re: Re:2 Misleading headline

You’re making an orthogonal point. Yes, their (former) method is poorly thought out. Yes, it could result (mind you, “could result” is not the same as “has resulted”) in other people (i.e., not them) sending private information to malicious third parties. But that’s not what the article claims. The article–specifically, the headline–claims, “Chipotle exposes private data”. That claim, at least as applied to the rest of the article, is false–Chipotle has exposed no data at all. The worst that can be said is that they’ve created a risk that someone else will expose private data.

Klaus says:

Re: Re: Re:3 Misleading headline

And neither is “could” the same as “hasn’t”.

The point has been well made that neither Chipotle or yourself are in any position to claim, let alone prove the opposite, that no data has been exposed. They have put their job applicants personal data at risk and seemingly coudn’t care less.

They should be birched for this.

Anonymous Coward says:

Re: Re: Re: Misleading headline

How many replies do you think noreply@everydomain.ever get? A lot.

Their mail admin should have stopped this from ever happening by saying “Boss, this is stupid as hell. People are not always brilliant and will reply to these messages. We should snatch up the domain even if all the responses die in the sender’s queue, and we’re going to end up in just about every major email provider’s spam filter because there isn’t a MX record in any DNS server for this domain and our outgoing mail would fail a SPF check. Or we could just use’ Two solutions that could have averted introducing additional risk. The first is configuring the outgoing email to use a legitimate domain as the sender/reply-to. The other is one annual 30$ credit card charge and an hour’s worth of work.

The quote:
“The domain is not a functional address and never has been,”
-is simply not true. It wasn’t functional at a point in time, but it sure as hell is now, just not for them.

Another quote:
“It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this.”
-I beg to differ, but yes, there is a security risk. Also, sending an email almost guarantees soliciting a response from some percentage of recipients. They asked people to follow a link, but didn’t explain why. If it didn’t have operational significance, why the hell did they need to use the domain in the first place?

They sent email with a faked from address, for a domain they did not own or have permission to use for this purpose, and used it for official company communications that would almost certainly wind up with PII exposure, even if the response rate was minimal. That’s a risk. It could possibly be construed as negligence. I certainly think it is in the English definition, but I’m no lawyer so I can’t speak to the legal definition.

While technically their own site, that they actually operate, didn’t have this risk/vulnerability, their HR business practices did introduce risk and a vulnerability for those who were attempting to communicate with their HR department. Because some dipshit at Chipotle didn’t want to use, they opened up an easy avenue for mischief, fraud, or identity theft for potential employees.

As a final point, where in the screenshot of Krebs’ email does it say “Do not reply to this message, it is an un-monitored mailbox”? It doesn’t, nor anything even close, and it sure as hell doesn’t tell the recipient that any replies will go to a system Chipotle doesn’t own or control. Go read the article on Krebs’ site and tell me that nobody was ever at risk. The person who registered the domain got a LOT of replies and information. It would have been trivial to get those applicants to give up any and all information the domain owner wanted. Those people are job hunting and would, in some cases, be quite desperate and willing to do whatever is asked.

Luckily for Chipotle it was a decent person who found this gap and filled it for them. They should be thanking this guy and (ironically) offering him a job.

Anonymous Coward says:

Re: Misleading headline

True… reading everything presented here, I would have come to a completely misled conclusion about what’s happening if I didn’t actually work in this field.

For a clearer explanation of the issue:

Chipotle forged the “from” address on their HR notification emails (likely to prevent replies from reaching them). The forged “from” domain they chose was “” which was an unregistered domain.

This means that anyone replying to any email from these addresses will get an eventual reply back from their mail server stating that the message was undeliverable.

What the security researcher did was register the domain, for the express purpose of:

Preventing a third party from registering the domain and then pretending to be Chipotle HR by receiving all the emails from people who replied to the “do not reply” email address.

So what Chipotle was actually doing is setting up a phishing attack for anyone to take advantage of, with the added bonus for the phisher that the conversation was started between a legit Chipotle HR representative and the potential victims.

To make it clearer for Chipotle: this is the equivalent of sending out letters to all the applicants with a return address for a PO box they don’t actually own.

Anything the recipients actually SEND will go to that PO box, and whoever actually owns it can do what they like with what they receive.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...