Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem

from the utterly-oblivious dept

Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC's ongoing investigation of that outbreak is grabbing most of the public's attention, the company's quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.

Apparently, Chipotle’s human resources department has been replying to new job applicants using the "chipotlehr.com" domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:Noticing this potentially major problem, a security researcher named Michael Kohlman (applying to apparently maintain unemployment benefits while between gigs) grabbed the domain for $30. He then reached out to Chipotle to explain the potential liability of the company's sloppy security and offer the company the domain, for free. Chipotle's response? Utter and total denial that there was any problem whatsoever:

"Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.

"The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”

That's a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked "operational significance" is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.

Filed Under: email, hr, security
Companies: chipotle

DailyDirt: Eating At Chipotle

from the urls-we-dig-up dept

Some people really like eating at Chipotle. It's supposed to be healthy (although it really depends on what you order). The ingredients are often (but not always) from sustainable sources, and customers enjoy their meals. A few really fanatical eaters have devised some bizarre eating games with Chipotle food. Almost every fast food restaurant has a "secret menu" of some kind nowadays, but if you really like Chipotle, here are some extreme eaters who have documented their Chipotle purchases.

• Andrew Hawryluk gave up NOT going to Chipotle for Lent, and he called his strange non-abstinence "Chipotlent" and blogged about it. Since February 18, 2015, this 23yo animator from Los Angeles has been eating at Chipotle at least once a day... for over 6 months now. He's been compared to Jared who once represented Subway, but maybe that's not such a favorable comparison now. [url]
• It's one thing to order a meal at Chipotle every day, but it's another process entirely to try to maximize the weight of your food. If you want to do it, though, you can apparently get 86% more food (by weight) than just ordering like a normal person. [url]
• The 'Chipotle Quesarito' is a secret menu hack that uses a cheese quesadilla to wrap your burrito, instead of just a plain tortilla. Recently, however, Chipotle has started charging $3.50 extra for this "have it your way" hack, but it's still a popular order. [url]

After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Filed Under: andrew hawryluk, chipotlent, dylan grosz, fast food, food, healthy, jared fogle, quesarito, restaurants, secret menu
Companies: chipotle, subway

DailyDirt: All Natural Doesn't Necessarily Mean Good For You...

from the urls-we-dig-up dept

A growing trend in food packaging seems to be using the words "all natural" to describe ingredients. This is meant to be an improvement over the previous "completely artificial" ingredients that have been used for decades. However, as some point out, the use of natural ingredients doesn't necessarily mean what consumers might think it means. Starbucks found out that "natural" might not satisfy all of its customers when it switched from Red #40 to a natural food coloring made from crushed insects. Those crushed insects aren't harmful, but that's not exactly what folks were expecting from a "natural" ingredient, either.

• Pizza Hut and Taco Bell (both owned by Yum Brands) have announced plans to get rid of artificial colors and flavors from their menu items. As an example, Taco Bell said it's going to stop using artificial black pepper flavor and use "natural black pepper flavor" -- but the company wouldn't disclose the exact difference between those ingredients. [url]
• Chipotle said it has gone GMO free (well, except for its drinks). The media coverage wasn't as glowingly positive as might have been expected, though. [url]
• Some food alarmists have been warning people that artificial strawberry and raspberry flavorings come from "beaver anal glands" -- but that's not exactly true. Castoreum is an extract from a beaver's organ located near -- but not from -- a beaver's butt, and this natural flavoring/fragrance isn't widely used in foods because it's actually too expensive to be economical in many food products. [url]

After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Filed Under: artificial, castoreum, coloring, flavoring, food, fragrance, gmo, natural, taste
Companies: chipotle, pizza hut, starbucks, taco bell, yum brands