Sign in / up

back to article Rap for wrap chaps in crap email trap: Chipotle HR used domain it had no control over

"Burrito" chain Chipotle has been using an internet domain for its HR emails that it has no control over. IT pro Michael Kohlman found that the US fast-food giant was stamping @chipotlehr.com addresses on emails sent to those who applied for jobs via its website. The form response, sent to applicants, came with instructions …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Okay, not particularly relevant to the story, but on the subject of emails...

    I received this from a senior manager on Saturday...

    "Guys

    Please be extra vigilant for any News related issues over the weekend in light of the events in Paris.

    I know you do anyway but any problems please deal with very quickly and escalate if necessary"

    My reply:

    "Thanks for that insightful email.

    But I do have a question.

    Why, if you know we do deal with problems and escalate if necessary, do you feel the need to send us an email asking us to do what you know we already do?

    I can only speak for myself, but I would appreciate you excluding me from pointless emails sent when you are at home and I am at work telling me how to do my job.

    Perhaps trusting your staff to do their job and communicating individually to any staff falling below an acceptable standard where there is evidence of that happening would be a better method of communicating?

    But in the spirit of subservience to my overlords I will sit further forward and more upright in my seat tomorrow, I hope that will fulfil my obligation under the being 'extra vigilant' clause of your email."

    I'm back in work in the morning, I guess the stupid manager will want a word with me...

    End of personal rant, but once again thank to El Reg for the opportunity to vent...

    17 0 Reply
    1. Ken Moorhouse Silver badge
      Reply Icon

      Re: Okay, not particularly relevant to the story, but on the subject of emails...

      Did you check the follow-up P45 for its authenticity?

      10 0 Reply
    2. John Brown (no body) Silver badge
      Reply Icon
      Unhappy

      Re: Okay, not particularly relevant to the story, but on the subject of emails...

      I think he's my boss too. Instead of bollicking the miscreant(s) he send out an email to the whole department "reminding" us of the correct procedures.

      Some people are managers and some people aren't. And some people are called managers who aren't.

      1 0 Reply
      1. AC Wilson
        Reply Icon

        Re: Okay, not particularly relevant to the story, but on the subject of emails...

        It Is the "Peter Principle" - the natural order is to rise to the highest level of incompetence.

        0 0 Reply
  2. elDog

    Excuse me. Is this where I register my E.Coli fecal sample?

    I have the brown stuff on a stick and want to know how I can send it to you.

    0 0 Reply
  3. Mark 85

    Obviously, Chipotle takes "privacy and security very seriously" since they didn't care enough to even respond to Mr. Kohlman. Another group of wankers running a corporation I see.

    8 0 Reply
  4. Roq D. Kasba

    Big software company, one you know

    Built a whole huge test dataset using real employee data, but with their email addresses set to <username>@bogus.com, and routed through the real live exchange servers.

    I pointed out that the poor buggers who owned bogus.com, A REAL DOMAIN, must be getting pissed with receiving 80,000 emails a day containing PII for our employees, and we should only hope they're ignoring the huge volume of mail from us as spam rather than using this data. Faces went white, and quite quickly we set up the equivalent of devnull.thecompany.com sub domain, but for a while we sprayed PII all out over open interweb directly to someone.

    This was a very high tech company you know, they should have known better. In retrospect, they really owe me for pointing that out!

    8 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Big software company, one you know

      So, IBM then? ;)

      2 0 Reply
    2. Alister
      Reply Icon
      Facepalm

      Similar example

      A newish developer with our company, who was working on some bulk mail software, decided to create his own test email addresses by running his fingers up and down his keyboard, and then inserting a dot before the last two or three letters. He did this for about 1,000 addresses, and then sent them all a test email.

      He was successful in creating quite a few real domains using that method and we ended up fielding a lot of bounces, including some from an obscure military establishment in the US...

      I wasn't best pleased, especially since we have our own test email server with a specified domain set up for sending to.

      3 0 Reply
  5. NoneSuch Silver badge

    A former sales manager was writing an email to a female contact in another company, but couldn't remember the domain name of the addressee. He put in the "first.lastname@" for the lady, and used "xxx" as a placeholder for the domain in front of the .com, intending to replace it when he recalled the information.

    When done composing the email, he hit send without thinking. That set off a firewall alert and a meeting with HR soon after.

    Everyone involved believed him when he told the story as the email in his sent box was completely professional. We all had a great laugh after he'd left the conference room red-faced.

    10 1 Reply
  6. szielins

    I fear their chimichangas have lost much of their crisp.

    0 0 Reply
  7. David Roberts

    Obviously not a real address

    Since the early days of email I have had an email address of "wibble@<wellknowndomain>.com.

    Every few years some bright spark decides that having finally discovered Black Adder they have thought of the perfect test email address.

    I then get a flurry of emails, until I contact them and point out that I know what they are doing.

    Only ever had one apology/admission of guilt. Usually get "we have fixed the problem" if I am lucky.

    2 0 Reply
  8. Cincinnataroo

    El Reg Muppet company list

    Maybe El Reg should have a have a scorecard system of Muppet Run Companies.

    The list downloadable as say CSV for the better amusement of readers who want to "further process" the idiocy.

    5 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: El Reg Muppet company list

      This reminds me of when we set up an online survey for a Big 4 accountant who shall be nameless. Staff were asked to register with their email addresses so that those who bothered to respond could get a copy of the results of the survey, but one senior manager decided that this was "insecure" and told his staff to register with fake email addresses. The result, of course, was that we had to identify and filter them. Manually.

      Not all his staff apparently agreed. We had "XYZisamuppet@big4.com", "XYZblowsinreverse@big4.com", and a few other variants. Some of the people with the rudest names made some of the most detailed and helpful comments in the free text boxes.

      2 0 Reply
      1. cream wobbly
        Reply Icon

        Re: El Reg Muppet company list

        "Some of the people with the rudest names made some of the most detailed and helpful comments in the free text boxes."

        Isn't that always the case? The snarkiest people are the ones with their brains in gear. Who needs peer votes? Natural language processing could be used to detect a condescending attitude and bubble the comment to the top of the pile.

        2 1 Reply
    2. Mark 85
      Reply Icon
      Coat

      Re: El Reg Muppet company list

      I shudder to think how large a file and how many entries would be needed. Might be better off to make list of the "Non-Muppet Run Companies". I'd think "Non-Muppet Run Company list would a very tiny list. Come to think of it, the list is on the back of the business card in my coat pocket.

      1 0 Reply
      1. Roq D. Kasba
        Reply Icon

        Re: El Reg Muppet company list

        Most useful replies come from people who understand the systems and have to work around the pain they cause each day, so are naturally the most embittered by artificial hurdles crappy systems throw up.

        Worked at a place once where 'benefits' were bought from a shopping list, based on a fixed percentage of your salary. Each year, the company sent a questionnaire about how happy people were with the benefits system, each year the techies grumbled that seeing as the benefits were taxable, why couldn't they just have the money so they could choose what to spend it on, not being limited to the list items, which were poor value ('experiences', high sheet shop vouchers at almost cover price after postage, etc). Every year, HR would bring the department in for a patronising talk about all the wonderful benefits and how the (incredibly smart and technical) department didn't understand the system. Yet it was true, the 'benefits' effectively took away from the salary pool and limited the value of that money to what someone in HR thought a good way to spend it. Similarly with the company car scheme, the employee would be taxed for the company's benefit when you broke the figures down, so had little uptake among the people who were smart enough to analyse and appraise a complex system.

        5 0 Reply
  9. Throatwarbler Mangrove Silver badge
    FAIL

    Spam spam spam

    A salesdroid for a well-known system monitoring software company sent out a marketing email to his entire customer base (including me) with all the addresses in the To: line. So far, so unremarkable, but consider that this was ostensibly a list filled with technically-literate individuals who should know not to hit the Reply To All button.

    Nope. Instead, we all got the regrettably inevitable torrent of "unsuscribe" (sic), "REMOVE ME FROM THIS LIST OR IMMA SUE!" etc. A few people found the humor in it, though, and replied to all with the Picard facepalm, helpful instructions on how not to reply to all, and my personal favorite:

    http://www.threepanelsoul.com/comic/on-sea-lions

    7 0 Reply
  10. usbac Silver badge

    Not exactly the same problem, but similar

    I work for a mid sized e-commerce company (that will remain nameless). A few years ago I received a phone call from the manager of a small company asking if I know why they are getting flooded with calls asking for our company. Customers were calling thinking they were getting our customer service department. After a few days of head scratching, we still couldn't figure out why our customers were calling them?

    At this point, I called the manager back, and asked them to ask one of the callers where they got the phone number. The customer answered that it was printed in a big numbers on their pick-ticket (invoice) that was in the box. It turns out that someone here just used 1-800-(company name) on the pre-printed forms. The problem was, that wasn't the correct toll free number. We had sent out tens of thousands of orders with this printed on the pick-ticket.

    Nobody ever admitted to being responsible for this. Fortunately for us, the owners of the poor company that kept getting slammed with calls was very understanding. We gave them and their staff codes for some huge discounts on our products, and everyone just laughed it off. Being the US, I was really surprised we didn't get sued! It says a lot for the owners of that company.

    3 0 Reply
  11. Robin Bradshaw

    The tragic tale of foo :)

    http://bar.com/

    6 0 Reply
    1. John Brown (no body) Silver badge
      Reply Icon

      Re: The tragic tale of foo :)

      http://bar.com/

      Nice :-)

      On a much smaller scale back in the days of Blueyonder (or was it the earlier incarnation of CableInet?) I remember a number of people getting "odd" replies in email. They were replies to people who had no clue how to set up their email and had simply created their own my.name@blueyonder.co.uk without any thought that they might never see the replies. I'm sure pretty much every ISP must have suffered that problem over the years.

      1 0 Reply
  12. Michael B.

    Monthly Bail Bonds

    An online bail bond company set up at almost the same address as our personal domain but with an s. ( We were here first!) About once a month we get people emailing copies of every single piece of personal information to our info@ address when applying for their custom bonds. If we were malicious we really could steal their identity with no problems at all.

    2 0 Reply
  13. a_yank_lurker

    PHB hiring the 16 year old nephew/niece

    Is the result of the PHB hiring their 16 year old nephew/niece who can turn on computer but not much else?

    0 0 Reply
  14. Red Bren

    intranet pr0n

    A former employer once decided to make up a random domain (based on the company initials) to house part of its intranet. Not a problem if you were browsing on the corporate network as the DNS would resolve it. But I once clicked on a link in OWA and to describe what I found as NSFW would be an understatement! It took hours to discover all the filth on there...

    6 0 Reply
    1. waldo kitty
      Reply Icon
      Thumb Up

      Re: intranet pr0n

      "But I once clicked on a link in OWA and to describe what I found as NSFW would be an understatement! It took hours to discover all the filth on there..."

      THAT deserves an up vote all by itself :)

      1 0 Reply
  15. Anonymous Coward
    Anonymous Coward

    Not email but worth a face-palm

    A company I worked for recently hired a 'professional' hacker to test employees using a phishing campaign. He got a few hundred employees from LinkedIn and correctly guessed their email addresses (firstname.lastname), and sent a link to a fake Outlook Web Access 'test' page using an almost-exactly-the-same-but-not-quite-the-same-as-the-company's domain name he'd registered.

    Good stuff: he speared quite a few clueless peeps, *but* he'd actually taken the OWA logon page from an unconnected legitimate company's website, and left the redirect to the failure page pointing to their original domain. So he ended up bouncing persistent employees into trying to log into an innocent third-party's email system, using their internal domain usernames and passwords. What a pro!

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like