When you are a rather large employer in the food industry, you’d better take care of your domain assets.
In the case of Chipotle, they never owned the domain ChipotleHR.com.
And yet, the domain was extensively used by the company, to communicate with potential job applicants.
The company was even pointing people interested in getting a job at Chipotle, to ChipotleHR.com.
It reminds us of the Wendy’s case, but that was a typo on a public sign.
According to Krebs On Security, Michael Kohlman, an IT professional, discovered the glitch after applying for a job at Chipotle.
After submitting his resume and application, he received an email from Chipotle Careers with the return address @chipotlehr.com; a reply sent to that address generated a bounce message, saying his email was undeliverable.
Long story short, Mr. Kohlman realized that the domain was unregistered, and spent $30 to register it. From the looks of it, he had never heard of GoDaddy before! 😀
The WHOIS information at DomainTools, shows that ChipotleHR.com was just registered.
While mistakes do happen, this one has the potential of exposing data on many applicants, if it were to be abused by the wrong registrant. Luckily, in this case, the job applicant is 100% white hat. 😀
For the full article from Krebs On Security, click here.
Thanks for letting me know that “somebody else” registered the domain name on June 26, 2015, parked it with Rook Media and potentially listed the domain for sale on Afternic, only later to force delete it between June 28, 2015 and November 13, 2015… 🙂