Chipotle allows job applicant to access its HR emails

US restaurant chain didn't own the 'chipotlehr' domain name, despite using it to respond to job seekers

US restaurant chain Chipotle Mexican Grill enabled a job applicant to access its HR emails because it has never owned the domain name that it was replying to job seekers with.

Chipotle's HR department has been replying to job applicants using the domain ‘chipotlehr.com' - but it was found by one job applicant - Michael Kohlman - to not be under ownership after a reply sent to that address generated a ‘bounce' message, saying that his message was undeliverable.

"The canned response was very odd," Kohlman told security expert Brian Krebs.

"Rather than indicating the email didn't exist, [the bounced message] just came back and said it could not resolve the DNS settings," he said.

Kohlman, who is an IT professional, searched for ownership records for the domain and having found that it hadn't been registered, he spent $30 to purchase it.

Once registered and logged in, he found that emails had been sent back to the domain address - even though Chipotle discourages users from replying to the message - from job seekers and people who needed password assistance to the Chipotle HR portal.

Essentially, everything that is sent to this domain name could be used and abused by cyber criminals.

Kohlman has since offered to give over the domain to the restaurant chain for free, but the company had no interest in acquiring it.

"The chipotlehr.com domain is not a functional address and never has been," Chipotle spokesperson Chris Arnold told Krebsonsecurity.

"It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this," he added.

The firm is moving its address to careers.chipotle.com, a domain that it does own, but the company's response signals that it isn't quite on the ball from an information security level perspective.

The firm only last month hired its first CIO, and it doesn't yet have a CISO or equivalent at the firm.