When HR's 'Do not reply to this email' becomes a security issue
Thursday, November 19, 2015 at 9:11AM
Steve in HR, HR Tech, Recruiting, Technology, Technology, security

DEAR APPLICANT,

DO NOT REPLY TO THIS MESSAGE AS THIS EMAIL ACCOUNT IS NOT MONITORED.

Sincerely, 

DO_NOT_REPLY_TO_THIS_MESSAGE@BIGCOMPANY.COM

We have all seen these kinds of messages in emails coming from organizations - retailers, mass marketers, maybe even from e-newsletters from big publishers like the New York Times or the Huffington Post.

Mostly, we don't give these messages, and their admonitions to NOT REPLY all that much thought. Who wants or needs to reply to Target's daily e-mail reminder of the TREMENDOUS Black Friday deals that are upcoming anyway?

But there is definitely at least one scenario where these DO NOT REPLY emails are used where they are much more likely to elicit an actual response from the recipient - in the context of job applications when the DO NOT REPLY emails are going out to candidates from an ATS or a recruiter.

It is an extremely plausible scenario that an applicant would want to reply to an auto-generated message from the ATS to ask additional questions, to make sure that all the needed application materials were received, or to simply inquire about the current status of the application itself. And while the argument over whether, especially for large organizations that receive millions of applications each year, should or can be able to respond to every possible candidate email will continue to rage, one thing is for certain - you should NEVER do what it appears Chiplotle (the big restaurant chain) did.

Details below, courtesy of the Krebs on Security blog:

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

(Michael) Kohlman said after submitting his resume and application, he received an email fromChipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

“The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

“In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” said Kohlman. “As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage.”

There is more to the story over at the Krebs site, including the official response from a Chipotle spokesperson claiming that the company did not see this as a problem at all, the the web domain www.chipotlehr.com was not a functional address and never has been. At least until Kohlman registered it recently. If you go to www.chipotlehr.com right now all you see is a blank page containing one sentence - "This is NOT the Chipotle Human Resources Page".

Kind of a silly, sort of ridiculous story all around I think, but one that should make HR and Recruiting folks at least take a look at the specifics of the auto-generated messages they are sending out to candidates and applicants.

I am not at all telling you that you shouldn't use 'DO NOT REPLY TO THIS MESSAGE' emails in your process, but if you do, just make sure you are not potentially exposing your applicant's data to unintended audiences.

Maybe take 5 minutes today to have a quick call with your Admins or IT team about this. It is worth it for the peace of mind. 

Article originally appeared on Steve's HR Technology (http://steveboese.squarespace.com/).
See website for complete article licensing information.