Company chose to send breach notice from email-marriott.com, not marriott.com, leading to poor deliverability.
A couple of weeks ago hotel giant Marriott announced a data breach that involves personal data of up to 500 million guests. This type of data breach seems par for the course these days. It’s interesting to see how companies follow up after these breaches; the response can often shed light on overall poor practices that make it clear that a breach was inevitable.
Consider the Equifax breach in which the company’s own social media account tweeted out a link to the wrong domain name with information about the incident.
After the news about Marriott broke, I waited to get an email from Marriott that would notify me of what happened and how to protect myself. It never came…until I checked my spam folder. Gmail had marked two emails from Marriott about the breach as spam.
As Spamhaus notes, this is likely because Marriott sent the emails from email-marriott.com, not marriott.com. email-marriott.com doesn’t have the same domain reputation as marriott.com so email providers don’t give it the same trust level. [Update: It seems that email-marriott.com is often used by the hotel chain, so it likely has a good reputation with email providers.]
Domain name reputation is important when it comes to email deliverability. A domain that’s not well-known and suddenly sends hundreds of millions of emails is suspicious.
Email-marriott.com is also suspicious to humans; many phishing domains have a format similar to this. Add to this the propensity of people to misspell Marriott (is it two r’s or two t’s — oh, it’s both) and you have a mess on your hands. Thankfully, some security experts registered the typos.